New Release: Tor Browser 9.0.7

by sysrqb | March 23, 2020

Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Tor.

This release updates Tor to 0.4.2.7 and NoScript to 11.0.19.

In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:

  • Open about:config
  • Search for: javascript.enabled
  • The "Value" column should show "false"
  • Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

In addition, HTTPS-Everywhere version 2020.3.16 supports a new mode of operation named EASE (Encrypt All Sites Eligible). Tor Browser users should not enable this feature. This new mode allows for adding per-site exceptions (whitelisting), however adding per-site exceptions may increase a user's uniqueness while using Tor Browser. When EASE mode is enabled, the whitelisting feature does not always work correctly, as well. We decided against downgrading the included https-everywhere version.

The full changelog since Tor Browser 9.0.6 is:

  • All Platforms
    • Bump NoScript to 11.0.19
    • Bump Https-Everywhere to 2020.3.16
    • Bug 33613: Disable Javascript on Safest security level
  • Windows + OS X + Linux
    • Bump Tor to 0.4.2.7

 

Update 2020-03-25: Added Https-Everywhere upgrade in ChangeLog and message about EASE mode.

Comments

Please note that the comment area below has been archived.

random_guy (not verified) said:

March 23, 2020

Permalink

Oh yeah, one more thing, the search suggestions are showing up in addres bar when you type the website, even if you dont have that option enabled.

"Search suggestions" are those queried from web-based "search engines" and are disabled by default in Tor Browser. The address bar in Firefox autocompletes what you type based on your recent history, tabs, and bookmarks saved in the browser on your device, locally. (Tor Browser is based on Firefox ESR.)

https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox

Machine (not verified) said:

March 23, 2020

Permalink

Ehh, all downloads on the Tor Browser download page are still only version 9.0.6.
How come so sloppy?

Venom (not verified) said:

March 23, 2020

Permalink

Hello! Updating Tor Browser for android-9.0.6-arm7 to Tor Browser for android-9.0.7-arm7 is not possible for unknown reasons! The Android device refuses to update. The new version of Tor Browser for android 9.0.7 is not installed. Why?

You should check the Cryptographic Signatures of your Apks.
It is possible that the 9.0.6 or 9.0.7 apk is not the official one, it is modified.
If you have downloaded both of the apks from official resources (PlayStore, F-droid, torproject.org) it is not likely they have been modified by the developers-market admins.
In that case you should search for malware or someone did a MiTM attack against you.

Also mention that if you have downloaded Tor Browser from PlayStore and then tried do update it from F-droid, or reverse, it is not possible to do that. Maybe the same applies with torproject.org and playstore. It has to update if you do the same with F-droid and torproject.org

pf.team (not verified) said:

March 23, 2020

Permalink

> Tor Browser 9.0.7 is now available from the Tor Browser download page

Download links haven't updated and still pointed to the version 9.0.6.

Anonymous (not verified) said:

March 23, 2020

Permalink

Why do you seriously mention you ship NoScript v.11.0.19 here, but the NoScript developer turns around to upgrade it in TBB to v.11.0.22, and suppose no one really checks what that changes, and a ticket to prevent this hijacking possibility exists, and nobody cares?

Anonymous (not verified) said:

March 24, 2020

Permalink

I take this update to mean NoScript allowed Javascript to be executed despite it being configured to not do so via a Firefox vulnerability? And the fix is to disable Javascript via about:config? If users restore previous behavior, does that mean they are vulnerable?

Noscript includes some workarounds for the Firefox ESR bug that should prevent that from happening, but we don't know for sure if that is enough, so for safety we disabled javascript completely. If users restore the previous behavior, that does not automatically mean they are vulnerable, but we don't know for sure.

An other option is to switch the security level before visiting a website where you want to enable javascript. But you should remember that that it applies to all open tabs, and switch it back to Safest before visiting other websites.

Anonymous (not verified) said:

March 24, 2020

Permalink

> But you should remember that that it applies to all open tabs, and switch it back to Safest before visiting other websites.

If a background tab on Safest has <meta http-equiv="refresh" content="5"> and I drop my active tab to Safer, does the background tab begin refreshing? Tor Browser's defaults for accessibility.blockautorefresh and browser.meta_refresh_when_inactive.disabled are false.

Normalmente, guardi l'impostazione del tuo livello di sicurezza.
https://tb-manual.torproject.org/it/security-settings/

Ma il post sul blog spiega che gli sviluppatori hanno implementato precauzioni per impedire a NoScript di gestire gli script in modalità "Sicurissimo" a causa di un bug in NoScript. L'impostazione precauzionale può essere vista da:

  • Aprire about:config
  • Cercare: javascript.enabled Questo è ora falso in modalità "Sicurissimo" fino a quando il bug non viene corretto.

SC (not verified) said:

March 24, 2020

Permalink

Have you fixed the problem with NoScript? For a long time it has been suddenly, for no reason. cancelling settings for individual tabs and reverting to "safest"

Aninimas (not verified) said:

March 29, 2020

Permalink

This is a NoScript problem, I believe it happens in my non-Tor Firefox browser as well.

My use case is having a Protonmail inbox tab open at all times. Tor security = safest, "Temp TRUSTED" turned on for the Protonmail JS. Every so often (haven't figured out what kind of interval, sometimes seems to be after hours of use sometimes seems to be in under an hour), Protonmail will get a "cannot connect to server" message. The Noscript button will now show the JS permission for the page as "Default" instead of "Temp Trusted".

Hot tip for others with this problem: I can make the JS in the tab work again without reloading (and thus avoid having to log in again) by opening a new tab with Protonmail, enabling JS, and closing it.

PS Thanks for detailing why changing the JS trust permissions using the Noscript button doesn't work this update! I was a little >:( for a minute until I saw it was working as expected.

Then remember to clear your clipboard when you close the Tor browser as the below was copied form my clipboard (after I closed the Tor brower).. "A persons information should beprivate"

*Its about time that Tor cleared the clipboard after exit as the above could of been a Journalists whole sensitive email, then heads can roll*

> Its about time that Tor cleared the clipboard after exit

Long ago, it did in Windows because it inherited something from Firefox.

What if your clipboard is something you did not copy from Tor Browser? I clear the clipboard myself by copying nonsense. This way, I control when it is cleared and verify it is cleared. I paste into a plain text editor like Notepad or into Tor Browser address bar before I close it. Make sure the plain text editor does not automatically save backups, and make sure not to press Enter in address bar.

https://trac.torproject.org/projects/tor/query?status=accepted&status=a…

https://blog.torproject.org/comment/189604#comment-189604

Running this command seems to be working fine

C:\Windows\System32\cmd.exe /c echo. | clip

Thanks.

Is there one for Android? As Android seems to save something like the last ten things that you copy.

I suppose my concern is if everything that is copied while using Tor gets copied to a program that is outside of Tor then can it just be accessed and collected each time that something is copied?.
If so then it makes me think that nothing should be copied while using Tor.

Long ago, it did in Windows because it inherited something from Firefox.

Ah!, that's probably why I was shocked to find out that it was doing this when I tested it recently, as I'm sure that I would of tested it in the past.

Lesson learned "take nothing for granted" things can change.

Good advise and thanks for the links.

My concern is that this is not commonly known by users and I really don't think that users would expect things to be copied by default outside of a browser designed for privacy.

Even if known about just forgetting to clear the clipboard once might not be good.

Hopefully Jounelists wouldn't even use Android or Windows : )

*spooky* "sorry there was an error blah, blah, message not posted".

So I had to copy my entire message from the error page then post it out of the clipboard, great! haha o_0

SMF (not verified) said:

March 24, 2020

Permalink

This update breaks Tor, at least in win64, with the following startup error:

The procedure entry point RSA_get0_d could not be located in the dynamic link library C:\Users\MyUser\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe

anon (not verified) said:

March 24, 2020

Permalink

I understand the precaution with disabling JavaScript entirely. I just want to ask whether uMatrix is affected by this Firefox ESR vuln as well? If not, wouldn't it be preferable to simply replace NoScript with uMatrix instead of disabling JavaScript entirely?

Anonymous (not verified) said:

March 24, 2020

Permalink

Interestingly, this ticket mentions that uMatrix is undesirable because it doesn't block WebGL as NoScript does. Well, by default NoScript also allows WebGL as soon as you allow scripts from a certain site (Trusted zone in NoScript).

IMHO, the NoScript config that ships in TorBrowser must not enable WegGL by default for all NoScript Trusted sites. Make that setting controlled by Security Level, etc.

omicron (not verified) said:

March 24, 2020

Permalink

Thanks for the javascript workaround, allowing us to tweak java script permissions on a per-site basis whilst staying on the safest mode. It was driving me nuts!

But the "security level" easement allows ALL spying and 3-rd party scripts as well. Isn't it a bigger problem?
Do you want to be slightly fingerprinted or completely profiled? Your choice.

For comparison, Tails adds to TorBrowser an add-on to disable the known bad scripts - uBlock Origin. And since it's included for all users, the fingerprinting is not an issue.

> Isn't it a bigger problem? Do you want to be slightly fingerprinted or completely profiled?

Yes, it is a bigger problem for a community using Tor Browser because a unique fingerprint makes you stand out immediately from other Tor Browser users, but allowing scripts makes you stand out slower from the community unless you volunteer personal information to the site. Scripts and site content are restricted as well by cross-origin settings, first-party isolation, and so on. Tor Browser also resets to default configuration whenever you open it or click New Identity. The important word there is "identity".

https://support.torproject.org/tbb/tbb-34/
https://2019.www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled
https://2019.www.torproject.org/projects/torbrowser/design/

> uBlock Origin. And since it's included for all users, the fingerprinting is not an issue.

uBlock depends on lists of filters managed by third parties beyond the developers of uBlock. Some blacklist filters break specific sites, so third parties started managing whitelist filters to patch the sites broken by blocking filters. Additionally, while ad servers can be malicious and measures are taken by Tor Browser to reduce fingerprinting, an outright ad blocker would give site owners yet another reason to want to block all Tor users.

https://support.torproject.org/faq/faq-3/

Tor has higher latency by design to defend against traffic analysis. Tor is not designed for real-time multi-player games or high-resolution livestreaming. If you can proxy it, Tor can work with it up to a point. It may not work if it wants your location for DRM or geofencing, reacts sensitively for anti-cheating, or otherwise decides to block Tor. Multi-player real-time games may nonetheless suffer from response times higher than sufficient to play comfortably. In contrast, turn-based games are less sensitive to latency. Single-player games whose assets are loaded completely from your machine should not be affected by network latency while playing.

Mr. F (not verified) said:

March 24, 2020

Permalink

no script is broken here in linux - cant switch on for single sides - so those sides wont function anymore - either i go back to former version or i remove no script at all.

What do u recommend?

Anonymous (not verified) said:

March 24, 2020

Permalink

A long time ago the Tor team pulled out two very useful options to turn on and off images and javascript. They replaced this with the Security Level system.

In my mind, it was deceitful to claim "JavaScript is disabled by default on all sites" with the "safest" setting when in fact javascript was not disabled in-browser, but only through a third-party plugin. This third-party plugin turned out to be faulty, making the "safest" setting UNSAFE.

This is completely unacceptable behavior and messaging from a security product.

Now we are all reaping the rewards of the Tor team's bad decision to hide the options to turn off images and javascript. Now, instead of having an option ready at hand, as we used to, the general user either has to hack into the about:config or wait for a browser update.

Why was the javascript button removed? It was because the Tor team subscribed to a STUPID IDEOLOGY OF USABILITY that focused on the supposed needs of the LOWEST IQ user. And yet it is precisely these people who were let down the most by this critical bug. The Tor team decided that this group of users were too stupid, too confused to be offered a simple global browser-level javascript on-off option.

Who is looking stupid now? The Tor team.

In addition to the Security Level system already in place, which works for most users most of the time, the Tor team MUST implement a more sophisticated security panel that offers choices, minimally the ability to turn on and off images, HTML5 multimedia, and javascript. If you want to hide it behind a warning, fine. But it needs to be there. We have just witnessed what happens when you take basic options away from users.

It was Mozilla who did that. Tor Browser is built upon Firefox and whatever is the latest incarnation of it.

There is so much garbage spy behavior built into default Firefox now, that it takes awhile to clear it all out (telemetry, studies, reporting, broadcast location, social, etc). Tor continues to remove all of that nonsense as it should. If you've ever taken to time to read the default Firefox privacy policy lately, it reads like an Orwellian nightmare. Still, its the best platform available to build Tor on right now due to the license, etc.

The NoScript plugin was popularized as an answer to counter Mozilla's unwillingness to allow users to disable their js manually, I recall this happened a long while ago.

The dumbing down of options is to bring aboard more average users, which is good for overall anonymity.

John (not verified) said:

March 24, 2020

Permalink

Any chance to add an option to blacklist some countries for the circuit?

I would like to blacklist the USA and UK because of their mass surveillance policies which makes me not trust them even a bit when it comes to privacy and security.

Thanks!

Anonymous (not verified) said:

March 25, 2020

Permalink

Caveat: it can decrease your anonymity, make you more vulnerable to malicious servers and increase your fingerprint. However, it is very useful for testing and for specific instances, for instance when you want to access georestricted resources whilst staying on the tor network:

1. To apply these changes to the tor browser, edit the file: tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc

(NB: to apply the settings to the tor binary in your system, you need to edit: /etc/tor/torrc)

2. To specify the entry node, add to the end of the file the following line:
EntryNode {**}
(where {**} is the country code; you can also add a server's fingerprint)

3. To specify an exit node, add:
ExitNode {**}

-To exclude a country as an exit node:
ExcludeExitNodes {us}

-To exclude a country as any kind of node:
ExcludeNodes {us}

Once again, you probably don't want to mess with these settings for your everyday browsing, just for testing or ad hoc scenarios.

The tor client tries to treat every exit node with equal distrust. I don't see your point. Furthermore, after your traffic exits Tor and is handed to the plain old internet's routing system to pass it along to wherever the destination server is located, there still are...

https://en.wikipedia.org/wiki/Five_Eyes
https://en.wikipedia.org/wiki/Submarine_communications_cable#Intelligen…
https://www.submarinecablemap.com/
https://en.wikipedia.org/wiki/GCHQ_Bude#Cable_interception
https://en.wikipedia.org/wiki/Hawaii_Cryptologic_Center
https://en.wikipedia.org/wiki/Content_delivery_network#Technology
https://en.wikipedia.org/wiki/Content_delivery_network_interconnection#…

Caveat: it can decrease your anonymity, make you more vulnerable to malicious servers and increase your fingerprint. However, it is very useful for testing and for specific instances, for instance when you want to access georestricted resources whilst staying on the tor network:

1. To apply these changes to the tor browser, edit the file: tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc

(NB: to apply the settings to the tor binary in your system, you need to edit: /etc/tor/torrc)

2. To specify the entry node, add to the end of the file the following line:
EntryNode {**}
(where {**} is the country code; you can also add a server's fingerprint)

3. To specify an exit node, add:
ExitNode {**}

-To exclude a country as an exit node:
ExcludeExitNodes {us}

-To exclude a country as any kind of node:
ExcludeNodes {us}

Once again, you probably don't want to mess with these settings for your everyday browsing, just for testing or ad hoc scenarios.

KPM (not verified) said:

March 24, 2020

Permalink

Tor Browser 9.0.7 for Android doesn't work on a Samsung Galaxy S2 (i9100) with Android 4.1.2

Ruby (not verified) said:

March 24, 2020

Permalink

Hi,
I have HTTPS everywhere updating itself. Is it safe to let it do so, as so far I have only trusted updates from TOR and no one else.

Cliff (not verified) said:

March 24, 2020

Permalink

I’m brand new to tor. Non tech savvy, basically tech illiterate, just want my privacy from big brother and ad folks. I’d also like to know how to text in privacy but I’ll get to that. I use an iPhone and a surface pro 7. Any suggestions on setting up would be appreciated

Did you have a question?

About Tor, the first set of bullets here answers it well:
https://blog.torproject.org/comment/286754#comment-286754

SMS texting is associated to your account and phone number with your mobile carrier. SMS traffic is managed by your mobile carrier, is not private, and cannot be proxied to work with Tor or VPN which go through internet. Look into messengers that are encrypted end-to-end, that try to reduce metadata leaks, and can be used on wifi. Look into Signal, Tox, Wire, FireChat, as well as CoyIM, Mastodon, and Pleroma. Develop a threat model. Decide who to trust, and learn to torify applications.

Your Surface Pro should support most desktop programs, but Microsoft has a long history of invading privacy, particularly in partnership with governments. Apple hardware, iOS, and its App Store are black boxes obscured from security auditors and developers by proprietary licenses and non-disclosure agreements. All companies right now push for vendor lock-in and dependence in their spheres of influence. Tor Browser is available on phones with Android only, but Android has had more malware historically than iOS.

Connection Encrypted (not verified) said:

March 24, 2020

Permalink

Hallo,

was downloading from dist.torproject.org with TBB9.0.6 and the browser has
FIXED the encryption at (TLS_AES_128_GCM_SHA256, 128 bit keys, TLS1.3).
Setting in security.ssl3.* doesn't matter.
What's the reason for?

Anonymous (not verified) said:

March 24, 2020

Permalink

Downgrading http-everywhere is not easy to do on all platforms, and the bug that we want to avoid is in a feature that is not enabled by default, so we decided to release 9.0.7 with the new http-everywhere version.

Why not in changelog?

The 9.0.7 does not include any change for this, so it was not included in the ChangeLog. The new Tor Browser version includes the newer version of https-everywhere and that was absent from the ChangeLog. It is now included. A comment about the bug in https-everywhere's EASE mode is now included in the blog post, as well.

southerntofu (not verified) said:

March 25, 2020

Permalink

Thanks for the update just to let you know the embedded PDF reader pdf.js does not work anymore in safest mode because of the JS engine being disabled.

It would be useful to at least serve a fallback message "download PDF" (the pdf.js button for downloading does not work with JS disabled)

AlexM (not verified) said:

March 25, 2020

Permalink

Исчезла кнопка блокировки HTML5-отпечатка (надеюсь я правильно выразился и вы меня поняли). Теперь нельзя заблокировать иньекцию отпечатка HTML5 от всех сайтов, которые это пытаются делать.

HoolaHoop (not verified) said:

March 25, 2020

Permalink

There is a HUGE problem with Tor on Android.
If somebody has changed cookies or DNT settings and after shut down the browser, the next time opening the browser, even settings apear to be fine, the fact is that the have been changed as they were before before they got changed!

However if you change them after the browser starts there is no problem.
The same goes each time you shut down and start Tor.

I apologize for my terrible English...

HoolaHoop (not verified) said:

March 27, 2020

Permalink

Even if accidenticaly someone change these settings and then set their values to the default ones, the values are gonna be those he had seted at first, the dangerous ones as you have said.

Question (not verified) said:

March 27, 2020

Permalink

If I have first installed tor browser in a previous version should the signature after 9.0.7 update be the 9.0.7 apk signature or the signature of the version I have first downloaded?
Why do every version has a different signature?
I am talking about SHA-256 signature.

Sksopsjhdyd (not verified) said:

March 27, 2020

Permalink

Have you got the Signatures?
You have uploaded a link with SHA-256 Checksums.
I only can verify SHA-256 Signatures.
In my apk SHA-256 signature appears to be 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8

Signature Type: SHA256withRSA

Key Type: RSA 4096bit

App used: Checkey (Guardian Project)

Anonymous (not verified) said:

March 25, 2020

Permalink

noscript, https-everywhere where not updated maybe because they are set to off for automatic updates, though thought this was recommended. About time you ditched them and integrated the functions.

Anonymous (not verified) said:

March 26, 2020

Permalink

That is not good. Extensions are known vectors, my research shows these in particular have had issues. Look at all the dates on these bugs with no fixes. This is not good either. Most extension vulnerabilities can be prevented by disabling any connection function or blocking their connections entirely. For example https-everywhere even has its own internal self-update function, though this fortunately appears to be disabled in preferences, though not disabled/removed entirely, as it really should be.

No, disabling extension updates does not prevent vulnerabilities. The vulnerabilities in the extensions are the same whether or not we enabled extension updates. The only thing that is changing is how users are getting the fixes. In the past, extension updates have been used to fix vulnerabilities (mainly to noscript). This is the reason why we kept extension updates enabled. Making a new Tor Browser release involves a lot of work, so having the option to fix an issue with a noscript updates saves us a lot of time. However it is also better if users don't have to trust updates from multiple sources, which is why we are considering disabling updates for the the extensions we ship.

Anonymous (not verified) said:

March 27, 2020

Permalink

Contradiction? You ignored what I said, or I was not clear enough. So you verify every automatic update? Seems like it would be less work and safer to integrate the functions. Disabling and removing extensions does prevent vulnerabilities, by your own advice of not installing them. My main point here is having internal extension connection functions that can update themselves internally even though they are disabled by default is poor practice. There is even a big warning message in https-everywhere. What more do you need? I appreciate it takes a lot of effort, though recently you had a big bug raising fund. Thought you stated it was great and would be used to fix bugs. If there is a lack of developers and support then that is a great shame. Lives depend on Tor as you no doubt know. I am grateful for your efforts regardless.

Anonymous (not verified) said:

March 25, 2020

Permalink

Often pages are endlessly loading, so clicking New Tor Circuit, but this fails due to the page still trying to load and just gives a blank page, resulting in having to wait a long time for it to fail before you can choose a new circuit.

All and any websites, it's a general problem.. Endless loading.. try to get a new circuit.. blank page.. have to wait for failed loading until able to choose a new circuit to avoid getting just a blank page.

You mean they timeout and stop, not that they refresh on their own like this blog. Do any sites load successfully?

You can stop loading by pressing the Escape key or by opening the right-click menu on the page and clicking the X or by dragging the Reload button to your toolbar (Customize) that will turn into an X as pages are loading.

The sites could be blocking Tor. Even if a site is not blocking Tor, some sites need JavaScript or features that are less private, and some sites load faster if those features are disabled. You can try one of the other security levels in the shield icon, and then load the site. Sites ending in .onion are slower in general, and smaller onion sites are down more often. It could be that the sites you are trying do not exist anymore.

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_erro…

Yes they timeout and stop, failing to load.. It can happen on any page.. Yes they load successfully but only after they can timeout and a new circuit can be chosen.. If a new circuit is chosen before the timeout then it results in a blank page.

Yes, but UA header and navigator.userAgent still return real platform.

Tor Browser:
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Firefox on Windows 10 x64:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Jim (not verified) said:

March 26, 2020

Permalink

Disqus functionality is still completely borked, rendering any site using Disqus (which is a lot) useless. Setting security and java-script to minimum and allowing everything and still no workie. Something is fundamentally broken as far as Disqus...

Anonymous (not verified) said:

March 26, 2020

Permalink

Ok sorry but I waited for days, sorry for the spam, thought it wasn't working. You should show a clear message and include this link.

I went to the DuckDuckGo onion website. I was on the safest level. It popped up a cross site scripting popup and then I blocked all XSS from that site. Now when I try to go to the Duck Duck Go onion URL the browser does not load it. However when I go to search the Clearnet Duck DuckGo url I can find pages that link to the DUCKDuckGo Onion url and when I follow the links it goes there and works. But no matter how many times I try to load the url from my bookmarks it does not work.

Step by step, verify your bookmark. Then, from where was the XSS being loaded? Was it duckduckgo.com or duck.co, or was it someplace else? If it's still suspicious, scan your computer for viruses and/or reinstall Tor Browser. Contact DuckDuckGo support.

It is not a good idea to download/update Tor from playstore.
Google may even try to modify the app and add NSA backdoors. It is well know that they are cooperating for many years with NSA and other intelligence agencies.
Just use this website or fdroid..
And if you want to be sure check the pgp and sha signatures of the apk you have downloaded to be sure it is not modified...

Anonymous (not verified) said:

March 27, 2020

Permalink

There are tab crash vulnerabilities that will cause all extensions to be disabled.

Anonymous (not verified) said:

March 30, 2020

Permalink

Seems to be with javascript / memory buffer overflow. Extensions become functionally disabled, it would appear their internal javascript stops functioning.

Did you not see my reply saying it causes extensions to become functionally disabled? Their menus still open but they are mostly blank, all their internal javascript for websites appears to stop working. It appears the javascript engine crashes or something.. So I would recommend embedding the functions in the browser so this would not happen. I'm not going to try to tell you how to crash tabs, thought this was your area of expertise. Think I already said enough that shows the problem. Surely you know how to perform javascript / memory buffer overloads. If you ask short questions, expect short answers. It's as if you don't use the browser yourself or something!

Anonymous (not verified) said:

March 27, 2020

Permalink

The lack of professionalism here is at best embarrassing and at worst scary. At a time of global emergency it is saddening that this supposed security project is greatly lacking. You speak of the importance of security and yet you don't even bother to fix your own website or clear vulnerabilities. Perhaps this project should come with a health warning of its own!

Yes I have posted them here but not being taken seriously. The bug tracker appears to have many similar bugs that aren't being fixed in many years! I am beginning to lose trust here.

William (not verified) said:

March 27, 2020

Permalink

Having issues with connection stability. What is the best way to connect to Tor (cable provider, personal WiFi via hotspot on a smart phone, or others)? Bisq loads with Tor, any suggestions for establishing a stable connection in within Linux Ubuntu? Thank you.

tor will attempt to reconnect if the connection is broken. Connection stability is usually independent of tor and thus affects connections not through tor as well. If a Tor circuit is unused, it will expire after a maximum of 10 minutes, and a new circuit will be created. I don't know if an active connection held open by an application would be forced to close if its circuit is older than 10 minutes. I don't think it should.

Anonymous (not verified) said:

March 28, 2020

Permalink

Tor Exit Failures

Average probability-weighted failure rate: 74.7%

Test ran at 2020-03-27 20:16:00 UTC

What's going on?

Marty (not verified) said:

March 28, 2020

Permalink

Hello, the Tor Browser telling me now that the Tor is broken. I can see red page with "Something went wrong" message. I use Windows 7 32-bit. I updated yesterday on 9.0.7 version. I saw this red page before update but after the update it disappeared. But now, the day after my update, i see it again and there is no description of the problem.

How to resolve this, please? How to fix the Tor and make the Tor Browser functional again?

Does it say, "Tor is not working in this browser"? That would be a description of the problem. The tor daemon (or "expert bundle") is a network proxy daemon that is packaged in the Tor Browser Bundle. The error basically means the tor daemon is not running. It is supposed to start when you open the browser, before the window appears. However, as it is a separate program, it can crash, and it won't crash the browser program. If the browser cannot access the tor daemon, the browser displays an error.

Does https://check.torproject.org/ return "Congratulations"? If not, exit all windows of the browser, wait 10 seconds, and reopen the browser.

Read the daemon's connection log to see if there are any error messages:
https://support.torproject.org/tbb/tbb-21/
Don't paste the log online if you configured bridges.

Hello! I hope you are using Firewall? Make sure the only tor.exe is allowed to communicate via network.
Concerning your issue - it is old "bug" on Windows. - You have just to restart your browser.

Kelryth (not verified) said:

March 28, 2020

Permalink

I use tor safest mode because it prevented javascript except on sites I explicitly set to trusted. This no longer works due to the complete disabling of javascript. Will it return to the previous functionality at some point?

Quoting the blog post, "We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability."

Anon (not verified) said:

March 29, 2020

Permalink

After I upgraded my android to 10, both Orbot and Tor Browser stopped working. The upgrade to new android was pushed by Samsung and the phone is not rooted.
Orbot keeps saying application request when we haven't used client functionality lately.
Tor browser however gives the following error:
Warning: pluggable transport process terminated with status code 6.
Any ideas?

Fbbbbbbb (not verified) said:

March 30, 2020

Permalink

Tor browser su android non apre nessuna pagina e si blocca subito dopo averlo avviato come posso risolvere?

Check if your bridges are down. Paste a bridge fingerprint in Relay Search (and ONLY in Relay Search):
https://metrics.torproject.org/rs.html
https://2019.www.torproject.org/docs/bridges.html.en#Understanding

Offline, fingerprints are saved in your torrc file. Don't edit it.
https://support.torproject.org/tbb/tbb-editing-torrc/

If your bridges are down, disable them and connect through Guard relays. Or if you absolutely need bridges, you can request another set:
https://support.torproject.org/censorship/censorship-4/

If they're up but you can't connect, then the issue may be temporary, or there may be a problem on your specific network.

Anon (not verified) said:

April 01, 2020

Permalink

According to an app I am using (checkey, guardian project), the SHA-256 signature of Tor Browser for Android is 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8
However the SHA-256 signature you have uploaded is different.
Is the apk fake?
I downloaded the apk from torproject.org on 2 devices and the signature is the same.

If someone knows the answer I would be glad for helping me.

I think 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8 is the fingerprint of the certificate signing the apk, not the hash of the file.

justoneinthecrowd (not verified) said:

April 01, 2020

Permalink

Under the section USING PLUGGABLE TRANSPORTS
I still guess you should open the menu at the top right, for rather Customize instead.

Perhaps still a bit more left to do, before any finished product here, because here also something missing when only installing the Tor browser.

This person is talking about instructions in the Tor Browser Manual here:
https://tb-manual.torproject.org/circumvention/

It does say to open the menu at the top right. The second paragraph says, "click on 'Preferences' in the hamburger menu." The "hamburger" menu is the browser's main menu whose icon is a stack of 3 horizontal lines. "Customize" is an unrelated tab where you can edit your toolbar. There is nothing in "Customize" that will help.

You can change the language of the purple website at the top of the page.

Roy Ramsey (not verified) said:

April 02, 2020

Permalink

I have a question or two. I use TOR and Firefox. I noticed that somehow they are connected. What is the connection for TOR and Firefox. Is there going to be a takeover of one or the other sometime in the future. Also I noticed when I bring up TOR it does not go full screen. Is it ok to blow it up full screen or will that pose some sort of security risk. Thank you so much.

Tor Browser is based on Firefox, with additional patches and customization. We are collaborating with Mozilla to integrate our changes into Firefox as much as possible (sometimes behind a pref). But the two organizations are independent.

You can maximize the browser window. The window size is a fingerprinting vector, but the letterboxing feature mitigates that:
https://support.torproject.org/tbb/maximized-torbrowser-window/

Adrien (not verified) said:

April 02, 2020

Permalink

I used to love this browser but it is still not working for me. I have the old windows 7.... could this be the issue?

Anonymous (not verified) said:

April 04, 2020

Permalink

There were two critical zero day vulnerabilities discovered in Firefox yesterday. These zero day vulnerabilities have apparently been observed in the wild. They both involve use-after-free vulnerabilities. They have been patched in Firefox and Firefox ESR. Here's a link to the advisory:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/

Presumably, these vulnerabilities affect Tor as well as it is based on Firefox. As it is now a day old and no updates or comment from Tor. These are both CRITICAL vulnerabilities. When can we expect them to be patched in Tor as well as TAILS?