New Release: Tor Browser 9.0.7

Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Tor.

This release updates Tor to 0.4.2.7 and NoScript to 11.0.19.

In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:

  • Open about:config
  • Search for: javascript.enabled
  • The "Value" column should show "false"
  • Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

In addition, HTTPS-Everywhere version 2020.3.16 supports a new mode of operation named EASE (Encrypt All Sites Eligible). Tor Browser users should not enable this feature. This new mode allows for adding per-site exceptions (whitelisting), however adding per-site exceptions may increase a user's uniqueness while using Tor Browser. When EASE mode is enabled, the whitelisting feature does not always work correctly, as well. We decided against downgrading the included https-everywhere version.

The full changelog since Tor Browser 9.0.6 is:

  • All Platforms
    • Bump NoScript to 11.0.19
    • Bump Https-Everywhere to 2020.3.16
    • Bug 33613: Disable Javascript on Safest security level
  • Windows + OS X + Linux
    • Bump Tor to 0.4.2.7

 

Update 2020-03-25: Added Https-Everywhere upgrade in ChangeLog and message about EASE mode.

Interestingly, this ticket mentions that uMatrix is undesirable because it doesn't block WebGL as NoScript does. Well, by default NoScript also allows WebGL as soon as you allow scripts from a certain site (Trusted zone in NoScript).

IMHO, the NoScript config that ships in TorBrowser must not enable WegGL by default for all NoScript Trusted sites. Make that setting controlled by Security Level, etc.

Anonymous

March 24, 2020

Permalink

Thanks for the javascript workaround, allowing us to tweak java script permissions on a per-site basis whilst staying on the safest mode. It was driving me nuts!

But the "security level" easement allows ALL spying and 3-rd party scripts as well. Isn't it a bigger problem?
Do you want to be slightly fingerprinted or completely profiled? Your choice.

For comparison, Tails adds to TorBrowser an add-on to disable the known bad scripts - uBlock Origin. And since it's included for all users, the fingerprinting is not an issue.

> Isn't it a bigger problem? Do you want to be slightly fingerprinted or completely profiled?

Yes, it is a bigger problem for a community using Tor Browser because a unique fingerprint makes you stand out immediately from other Tor Browser users, but allowing scripts makes you stand out slower from the community unless you volunteer personal information to the site. Scripts and site content are restricted as well by cross-origin settings, first-party isolation, and so on. Tor Browser also resets to default configuration whenever you open it or click New Identity. The important word there is "identity".

https://support.torproject.org/tbb/tbb-34/
https://2019.www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled
https://2019.www.torproject.org/projects/torbrowser/design/

> uBlock Origin. And since it's included for all users, the fingerprinting is not an issue.

uBlock depends on lists of filters managed by third parties beyond the developers of uBlock. Some blacklist filters break specific sites, so third parties started managing whitelist filters to patch the sites broken by blocking filters. Additionally, while ad servers can be malicious and measures are taken by Tor Browser to reduce fingerprinting, an outright ad blocker would give site owners yet another reason to want to block all Tor users.

https://support.torproject.org/faq/faq-3/

Tor has higher latency by design to defend against traffic analysis. Tor is not designed for real-time multi-player games or high-resolution livestreaming. If you can proxy it, Tor can work with it up to a point. It may not work if it wants your location for DRM or geofencing, reacts sensitively for anti-cheating, or otherwise decides to block Tor. Multi-player real-time games may nonetheless suffer from response times higher than sufficient to play comfortably. In contrast, turn-based games are less sensitive to latency. Single-player games whose assets are loaded completely from your machine should not be affected by network latency while playing.

Anonymous

March 24, 2020

Permalink

no script is broken here in linux - cant switch on for single sides - so those sides wont function anymore - either i go back to former version or i remove no script at all.

What do u recommend?

Anonymous

March 24, 2020

Permalink

A long time ago the Tor team pulled out two very useful options to turn on and off images and javascript. They replaced this with the Security Level system.

In my mind, it was deceitful to claim "JavaScript is disabled by default on all sites" with the "safest" setting when in fact javascript was not disabled in-browser, but only through a third-party plugin. This third-party plugin turned out to be faulty, making the "safest" setting UNSAFE.

This is completely unacceptable behavior and messaging from a security product.

Now we are all reaping the rewards of the Tor team's bad decision to hide the options to turn off images and javascript. Now, instead of having an option ready at hand, as we used to, the general user either has to hack into the about:config or wait for a browser update.

Why was the javascript button removed? It was because the Tor team subscribed to a STUPID IDEOLOGY OF USABILITY that focused on the supposed needs of the LOWEST IQ user. And yet it is precisely these people who were let down the most by this critical bug. The Tor team decided that this group of users were too stupid, too confused to be offered a simple global browser-level javascript on-off option.

Who is looking stupid now? The Tor team.

In addition to the Security Level system already in place, which works for most users most of the time, the Tor team MUST implement a more sophisticated security panel that offers choices, minimally the ability to turn on and off images, HTML5 multimedia, and javascript. If you want to hide it behind a warning, fine. But it needs to be there. We have just witnessed what happens when you take basic options away from users.

It was Mozilla who did that. Tor Browser is built upon Firefox and whatever is the latest incarnation of it.

There is so much garbage spy behavior built into default Firefox now, that it takes awhile to clear it all out (telemetry, studies, reporting, broadcast location, social, etc). Tor continues to remove all of that nonsense as it should. If you've ever taken to time to read the default Firefox privacy policy lately, it reads like an Orwellian nightmare. Still, its the best platform available to build Tor on right now due to the license, etc.

The NoScript plugin was popularized as an answer to counter Mozilla's unwillingness to allow users to disable their js manually, I recall this happened a long while ago.

The dumbing down of options is to bring aboard more average users, which is good for overall anonymity.

Anonymous

March 24, 2020

Permalink

Any chance to add an option to blacklist some countries for the circuit?

I would like to blacklist the USA and UK because of their mass surveillance policies which makes me not trust them even a bit when it comes to privacy and security.

Thanks!

Caveat: it can decrease your anonymity, make you more vulnerable to malicious servers and increase your fingerprint. However, it is very useful for testing and for specific instances, for instance when you want to access georestricted resources whilst staying on the tor network:

1. To apply these changes to the tor browser, edit the file: tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc

(NB: to apply the settings to the tor binary in your system, you need to edit: /etc/tor/torrc)

2. To specify the entry node, add to the end of the file the following line:
EntryNode {**}
(where {**} is the country code; you can also add a server's fingerprint)

3. To specify an exit node, add:
ExitNode {**}

-To exclude a country as an exit node:
ExcludeExitNodes {us}

-To exclude a country as any kind of node:
ExcludeNodes {us}

Once again, you probably don't want to mess with these settings for your everyday browsing, just for testing or ad hoc scenarios.

Caveat: it can decrease your anonymity, make you more vulnerable to malicious servers and increase your fingerprint. However, it is very useful for testing and for specific instances, for instance when you want to access georestricted resources whilst staying on the tor network:

1. To apply these changes to the tor browser, edit the file: tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc

(NB: to apply the settings to the tor binary in your system, you need to edit: /etc/tor/torrc)

2. To specify the entry node, add to the end of the file the following line:
EntryNode {**}
(where {**} is the country code; you can also add a server's fingerprint)

3. To specify an exit node, add:
ExitNode {**}

-To exclude a country as an exit node:
ExcludeExitNodes {us}

-To exclude a country as any kind of node:
ExcludeNodes {us}

Once again, you probably don't want to mess with these settings for your everyday browsing, just for testing or ad hoc scenarios.

Anonymous

March 24, 2020

Permalink

Hi,
I have HTTPS everywhere updating itself. Is it safe to let it do so, as so far I have only trusted updates from TOR and no one else.

Anonymous

March 24, 2020

Permalink

I’m brand new to tor. Non tech savvy, basically tech illiterate, just want my privacy from big brother and ad folks. I’d also like to know how to text in privacy but I’ll get to that. I use an iPhone and a surface pro 7. Any suggestions on setting up would be appreciated

Did you have a question?

About Tor, the first set of bullets here answers it well:
https://blog.torproject.org/comment/286754#comment-286754

SMS texting is associated to your account and phone number with your mobile carrier. SMS traffic is managed by your mobile carrier, is not private, and cannot be proxied to work with Tor or VPN which go through internet. Look into messengers that are encrypted end-to-end, that try to reduce metadata leaks, and can be used on wifi. Look into Signal, Tox, Wire, FireChat, as well as CoyIM, Mastodon, and Pleroma. Develop a threat model. Decide who to trust, and learn to torify applications.

Your Surface Pro should support most desktop programs, but Microsoft has a long history of invading privacy, particularly in partnership with governments. Apple hardware, iOS, and its App Store are black boxes obscured from security auditors and developers by proprietary licenses and non-disclosure agreements. All companies right now push for vendor lock-in and dependence in their spheres of influence. Tor Browser is available on phones with Android only, but Android has had more malware historically than iOS.

Anonymous

March 24, 2020

Permalink

Hallo,

was downloading from dist.torproject.org with TBB9.0.6 and the browser has
FIXED the encryption at (TLS_AES_128_GCM_SHA256, 128 bit keys, TLS1.3).
Setting in security.ssl3.* doesn't matter.
What's the reason for?

Anonymous

March 24, 2020

Permalink

Downgrading http-everywhere is not easy to do on all platforms, and the bug that we want to avoid is in a feature that is not enabled by default, so we decided to release 9.0.7 with the new http-everywhere version.

Why not in changelog?

The 9.0.7 does not include any change for this, so it was not included in the ChangeLog. The new Tor Browser version includes the newer version of https-everywhere and that was absent from the ChangeLog. It is now included. A comment about the bug in https-everywhere's EASE mode is now included in the blog post, as well.

Anonymous

March 25, 2020

Permalink

Thanks for the update just to let you know the embedded PDF reader pdf.js does not work anymore in safest mode because of the JS engine being disabled.

It would be useful to at least serve a fallback message "download PDF" (the pdf.js button for downloading does not work with JS disabled)

Anonymous

March 25, 2020

Permalink

Исчезла кнопка блокировки HTML5-отпечатка (надеюсь я правильно выразился и вы меня поняли). Теперь нельзя заблокировать иньекцию отпечатка HTML5 от всех сайтов, которые это пытаются делать.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

5 + 8 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.