New Release: Tor Browser 9.5a9

by antonela | March 30, 2020

Tor Browser 9.5a9 is now available from the Tor Browser Alpha download page and also from our distribution directory.
 
Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
 
This release updates Tor to 0.4.3.3-alpha and NoScript to 11.0.21.
 
In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:
  • Open about:config
  • Search for: javascript.enabled
  • The "Value" column should show "false"
  • Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.
We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.
 
The full changelog since Tor Browser 9.5a8 is:
  • All Platforms
    • Translations update
    • Bump NoScript to 11.0.21
    • Bug 33613: Disable Javascript on Safest security level
    • Bug 33342: Avoid disconnect search addon error after removal
  • Windows + OS X + Linux
    • Translations update
    • Bump Tor to 0.4.3.3-alpha
    • Update Tor Launcher to 0.2.21.5

Comments

Please note that the comment area below has been archived.

March 30, 2020

Permalink

I have a question. I replaced HTTPS Everywhere with HTTPZ, which is much faster and lightweighter... is stupid?

Cons:
Been around nearly a year yet, This is not a Recommended Extension. Make sure you trust it before installing.

Default option of fallback to http without warning.

Still relies on javascript. I recommend embedding the functions in the browser instead.

Would need a full review.

Pros:
1 less permission requirement.

No apparent connection functions.

Lightweight.

Independent developer.

You are replacing a long tested add-on from VERY trousted developers with a recently created one, with developers that are not that trusted as EFF which is behind HTTPS-Everywhere.
You should not be doing that.
You are putting yourself at risk.

first reason because tor team add default addons and they make sure users have same id and addons on wild internet to avoid tracking and deanonymes users .
another reason even HTTPZ is safe(or not ) maybe have vulnerability that affect your browser and cause track you so for your security and privacy dont use any addons, try to remove the tor directory and install a new one from tor setup, regard

March 31, 2020

Permalink

I have 4 main questions to ask and need a response as they are important for the whole *Tor* community to recognise and see.

Why are cookies not fully disabled in settings by default in "Tor Browser" application?

I'm saying this from experience on "Android" with the Tor Browser app. This is the case for the latest alpha version "Tor Browser 9.5a9" and the latest stable release "Tor Browser 9.0.7".

As *Tor* is heavily based on privacy wouldn't this make it more secure by default.

When will snowflake bridges come to the Android app (Alpha and Stable version)?

Why is the "Tor Browser" application not based on Firefox version 74 which is the latest version of Firefox? Which is available for
macOS,Windows,Linux os's, not sure if it's available for Android yet.

I say this as I assume it would be more stable and secure compared to Firefox version 68.6.0 right?

Please let me know if I am wrong by saying that but it just makes sense.

Why do obfs4 and Azure bridges not work at all in the Android version 9.0.7 armv7 of "Tor Browser"?

Also another suggestion you might want to change the is the change log for alpha 9.5a9 and other releases of "Tor Browser" in the blog page were it states about extensions being updated to a certain version, However in real life usage noscript and HTTPS everywhere automatically update to the latest version by default.

Apart from the queries above...

your application works flawlessly across all OS's especially the alpha version well done developers keep up this phenomenal program to bypass censorship and keep anonymity in the online world.

Cookies are not disabled because it prevents some website from working. Instead they are cleaned when closing the browser, or when using the "New Identity" button.

I don't know when Snowflake will be available on Android, but we have a ticket for that:
https://trac.torproject.org/projects/tor/ticket/28672

Regarding Firefox version, we are currently following Firefox ESR releases. We are however planning to switch to Firefox rapid releases in a few months.

For obfs4proxy not working with version 9.0.7, I think it might be this issue which is fixed in the alpha, but not yet in the stable series:
https://trac.torproject.org/projects/tor/ticket/32303

April 02, 2020

In reply to boklm

Permalink

Ok thanks for things up.

I can confirm obfs4 and azure bridges work on tor browser alpha versions for Android 10,9.

April 02, 2020

In reply to boklm

Permalink

We are however planning to switch to Firefox rapid releases in a few months.

Won't that make auditing Firefox a LOT harder for Tor Project to keep up with? As you said, "Making a new Tor Browser release involves a lot of work" already.

Yes, that will add some work. However Fenix is not supported on ESR, so we'll have to do it for mobile anyway.

We'll have to review new Firefox features more often, and have less time to patch/disable them, however the total number of features to review should be the same.

For more about how Tor Browser manages cookies, find the text, "cookie", on its design document. Open Find by pressing Ctrl+F on a desktop or, on Android, 3-dots menu --> Find in Page.
https://2019.www.torproject.org/projects/torbrowser/design/

> I assume [latest Firefox] would be more stable and secure compared to Firefox [ESR] version 68.6.0 right?

No, the extended support release (ESR) tends to be more stable than the latest standard "rapid" release. This is also true of long-term support (LTS) or enterprise releases of other software. All releases receive the latest security and stability patches, but the standard rapid/rolling release receives the newest, sometimes experimental, *features*.

https://support.mozilla.org/en-US/kb/switch-to-firefox-extended-support…
https://support.mozilla.org/en-US/kb/choosing-firefox-update-channel

I like how Clément Lefèbvre explained it: "[The rolling release] runs newer [features]. Life on the [rolling] side can be exciting. When ready, newly developed features get directly into [the rolling release], whereas they are staged for inclusion on the next upcoming [LTS/ESR] point release. Consequently, [LTS/ESR] users only run new features when a new point release comes out. [Rolling release] users... don’t have to wait for new [features] to mature, and they usually get to run them first. It's more risky but more exciting."

All releases receive the latest security and stability patches, but the standard rapid/rolling release receives the newest, sometimes experimental, *features*.

Actually all the bug fixes are first made on the standard release branch. But only the ones that are considered important enough are backported to the ESR branch, so it is still possible that some are missed on the ESR branch. This is part of the reason why we are planning to switch to the rapid release branch (the main reason being that Fenix won't be supported on the ESR branch).

April 03, 2020

In reply to boklm

Permalink

Yes, the term "bug fixes" is broader in scope. It's curious, then, that Mozilla says, "Firefox ESR does not come with the latest features but it has the latest security and stability fixes," and "ESR receives... minor updates such as crash fixes, security fixes and policy updates as needed, but at least every six weeks."

March 31, 2020

Permalink

I have 4 main questions to ask and need a response as they are important for the whole *Tor* community to recognise and see.

Why are cookies not fully disabled in settings by default in "Tor Browser" application?

I'm saying this from experience on "Android" with the Tor Browser app. This is the case for the latest alpha version "Tor Browser 9.5a9" and the latest stable release "Tor Browser 9.0.7".

As *Tor* is heavily based on privacy wouldn't this make it more secure by default.

When will snowflake bridges come to the Android app (Alpha and Stable version)?

Why is the "Tor Browser" application not based on Firefox version 74 which is the latest version of Firefox? Which is available for
macOS,Windows,Linux os's, not sure if it's available for Android yet.

I say this as I assume it would be more stable and secure compared to Firefox version 68.6.0 right?

Please let me know if I am wrong by saying that but it just makes sense.

Why do obfs4 and Azure bridges not work at all in the Android version 9.0.7 armv7 of "Tor Browser"?

Also another suggestion you might want to change the is the change log for alpha 9.5a9 and other releases of "Tor Browser" in the blog page were it states about extensions being updated to a certain version, However in real life usage noscript and HTTPS everywhere automatically update to the latest version by default.

Apart from the queries above...

your application works flawlessly across all OS's especially the alpha version well done developers keep up this phenomenal program to bypass censorship and keep anonymity in the online world.

April 01, 2020

Permalink

does anybody know how to use spotify's web player on TOR ? It keeps reminding me to enable secure playback in my browser but I don't know how (I've read the tips spotify offered on enabling the web player for firefox users yet no luck). plz

Spotify's message, "Enable secure playback in your browser," means Spotify wants you to enable Digital Rights Management (DRM) in your browser to be able to play their content. In Mozilla Firefox, that would be done by installing the Google Widevine Content Decryption Module (CDM) plugin which you could do by opening Preferences and checking "Play DRM-controlled content". Plugins, like Cisco Systems' H264 codec and Adobe Flash and unlike add-ons, run outside of the browser's protective sandbox. Tor Browser does not come with third-party plugins nor add-ons other than HTTPS Everywhere by the Electronic Frontier Foundation (EFF) and NoScript by Giorgio Maone, a member of the Mozilla Security Group.

https://duckduckgo.com/?q=digital+rights+management
https://duckduckgo.com/?q=digital+rights+management+defective+by+design

https://support.mozilla.org/en-US/kb/enable-drm
https://support.torproject.org/tbb/tbb-14/
https://support.torproject.org/tbb/tbb-12/
https://tb-manual.torproject.org/plugins/

April 01, 2020

Permalink

Your statement that EASE from https everywhere should be disabled is not, in my opinion, beneficial for users.
By disabling that an attacker can downgrade the connection to http and inject code with malware.
It is pretty clear that using http with Tor is dangerous, so why dont you advice regular users,who use Tor for every-day browsing, to not use http at all? I underestand that is many cases you must use http, but in most situations you have https, so you dont need exceptions.
Even if you need to visit an http site,you can go and disable https everywhere and re-enable it after you exit that site? Is that hard?
It is very important that regular, tech savvy users use Tor, the network gets bigger and as a result more anonymous, however we should not give up security for that.

Regular users are not tech savvy. They want everything to "just work" and don't want to learn anything new or consciously train self-discipline to restrain their insecure, exhibitionist behaviors. Those are the people who have to feel welcome so the Tor network will rapidly grow. Read the complaints about just the letterboxing feature in the blog post for 9.0.

If I understand correctly, injection of scripts via http by an eavesdropper is only possible in Standard mode because NoScript disallows http scripts in Safer and Safest. Although, I'm uncertain what happens to http resources embedded in a https site. Even so, most users have been trained by now to treat a green padlock and "https" as secure.

Fallback to http is possible regardless of HTTPS-E if the site offers http. The reasoning in the blog post for 9.0.7 to disable EASE is that it makes a customized whitelist, and customzed filters can fingerprint you. EASE could be permissible if it warned users but did not make a whitelist, but then users would see warnings repeatedly and might be annoyed and disable it themselves.

NoScript makes a whitelist if you respond to its blue pop-ups and block XSS or allow media. Developers, if EASE could be reset like NoScript by New Identity or changing security level, would its whitelist be permissible?

> Is that hard?

You'd be surprised.

April 01, 2020

Permalink

can i maximize the screen now without sacrificing browser fingerprint now since letterboxing is enabled?

April 02, 2020

Permalink

I want to learn how to really navigate the onion and in return I’ll sculpt this cyber-world into a cyber-stronghold

April 02, 2020

Permalink

Do you plan to force android users to use the same screen size?
It is very bad for fingerprinting that screen sizes differ a lot.

April 03, 2020

Permalink

Is it possible to use wget with TBB? I don't want to have to boot into TAILS just to use wget w/ Tor. TIA.

April 08, 2020

Permalink

I have a problem accessing a website ...

https:// www . renaissancekingdoms . com/?lan=en

before in the tor he entered normal.
However now it seems that the site can block access by TOR.

SEE:
Forbidden
You don't have permission to access / on this server.

does anyone know what can be done to access that site through the tor network?
Sometimes with you and spend some time again

https://prnt.sc/rvcjri