New Release: Tor Browser 9.0.8

by sysrqb | April 3, 2020

Tor Browser 9.0.8 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security fixes to Firefox.

The full changelog since Tor Browser 9.0.7 is:

  • All Platforms
    • Mozilla Bug 1620818 - Release nsDocShell::mContentViewer properly
    • Mozilla Bug 1626728 - Normalize shutdown

Comments

Please note that the comment area below has been archived.

April 05, 2020

Permalink

Is there a possibility to include the connection display for hops for mobile systems, just like the desktop versions?

April 05, 2020

Permalink

The info window still says "based on ... 68.6.0esr". Is that expected? Where the patches applied manually instead of upgrading the firefox base?

Yes, that is correct. We took the patches from 68.6.1esr and applied them on top of 68.6.0esr along with the Tor Browser-specific patches. This allowed us to begin building this version of Tor Browser faster than if we used 68.6.1esr.

> Where the patches applied manually instead of upgrading the firefox base?

Yes. For comparison, see the blog announcements for 9.0.6, 9.0.5, 9.0.4, 9.0.3, etc. The changelogs of those say, "All Platforms... Update Firefox to..." In contrast, the changelog of version 9.0.7 did not say that because it did not update Firefox.

April 05, 2020

Permalink

When I start Tor it often opens in red saying something went wrong. I then have to close it and open it again. It then opens correctly the second time. Is there a FAQ about this or if not why does this keep happening? Have others noticed this? Thank you.

Yes, exactly the same thing happens to me. It seems to happen in cycles of varying lengths with varying lengths of time between periods as well, i.e., at times it doesn't happen at all in periods that seem to last a week or so to 3-4 weeks with no problems, then a period when it occurs in the two-steps you describe that seem to last between a few days to a couple weeks, then back to no problem again, etc.

Yes, I am noticing the same behavior. Although instead of simply closing and restarting I need do the following:
1] Close Tor Browser
2] rm -rf /tordirectory
3] tar -xvf tor.tar.xz

I'm on 32 bit linux, and this behavior is for 9.0.7, may still persist on 9.0.8 but unsure, as am downloading right now.

April 05, 2020

Permalink

a mistake happens, these security fix are based on firefox esr 68.6.1 nor 68.6.0(in Tor Browser 9.0.8 is based on 68.6.0 and must be based on firefox esr 68.6.1) please fix it, thank you

April 05, 2020

In reply to sysrqb

Permalink

thank you, i understand what you say for saving time and etc but i have a question about; is there any update for tor to upgrade base to 68.6.1?? if not are you sure this build work well(for example security risk, performance or etc ?
i mean if firefox esr 68.6.1 have stability and other fix so are you apply on 68.6.0?? or in another update for tor browser upgrade to 68.6.1??

April 05, 2020

Permalink

Impact Description: critical
"We are aware of targeted attacks in the wild abusing this flaw."

Is there any information about which security levels were affected?

April 06, 2020

Permalink

I use TAILS. Please forgive me if I'm not posting at the correct place, but I don't see any forum on TAILS web site for posting comments. I have seen no mention on the TAILS web site of the FireFox patches. Are the TOR developers in touch with TAILS folks. Will TAILS be patching their software?

April 06, 2020

Permalink

Which Linux distributions do you -torproject- recommend for running the Torbrowser?
Are there any problems with the *buntus -Ubuntu, Kubuntu, etc.?

April 08, 2020

In reply to boklm

Permalink

@boklm:

Do you know if Debian is still maintaining the onion mirrors for the huge Debian repository? That was an invaluable service but it seems to have become all but unusable in recent weeks.

If this could be fixed, Debian would be a natural choice for the Tor enthusiast. But I'd love to see TP work with Ubuntu to create onion mirrors for the Ubuntu repositories.

I'd also love to see onion mirrors for other repositories including some which are said to be very popular with people working on digital contact tracing, the semi-mythical "Deep State Resistance movement", etc. (I see former USIC chiefs and retired generals are demanding support for whistle-blowers--- those who remember the vital contribution to democracy made by people like Diane RoarK, Edward Snowden and Chelsea Manning will appreciate the delicious irony.)

April 06, 2020

Permalink

Just one anonymous person's opinion, but after the recent javascript cock-up I have decided not to use Tor Browser for mission critical stuff. I don't trust the Tor interface anymore. I don't trust turning off javascript either in the security settings or in the about:config panel.

Tor Browser is just a condom. It's built thin for your pleasure, not security. I'm going to use it as a convenient proxy, nothing more.

>I have decided not to use Tor Browser for mission critical stuff.
What else would you use? It's not like they are better alternatives. Maybe a simple text browser connected to Tor network can offer you more security, but it won't be anonymous since the browser will have different fingerprint and behavior.

>I don't trust the Tor interface anymore. I don't trust turning off javascript either in the security settings or in the about:config panel.
Yes, you have valid concerns, but this is the fault of being based on current bloated Firefox. When Tor Project chosen Firefox as it base browser it was decade ago or more, Firefox and webpages were a different thing than they are now. Current Firefox is a mess full of security issues and fingerprinting ability. But so are other mainstream browsers. As the internet and browsers keep getting more and more bloated, we will have more and more security issues, it will get worse.
Maybe it's time for Tor Project to reconsider if Firefox is the appropriate choice. Or maybe Tor Browser should strip many parts of Firefox and only use the core features. Things like javascript blocking should be done in Tor Browser code, not relied on some crappy untrustable 3rd party extension like NoScript.

https://2019.www.torproject.org/docs/faq.html.en#IsItWorking
"Try the Tor Check site." At the bottom of it, "JavaScript is (or is not) enabled."

https://support.torproject.org/about/can-i-use-tor-with/
"In short, do not torify any applications yourself unless you know exactly what you are doing."

https://support.torproject.org/about/no-data-scrubbing/
"Tor" is the network. "Tor Browser" is the fork of Firefox modified for privacy included in a bundle with the tor network daemon (lowercase T).

https://2019.www.torproject.org/docs/faq.html.en#TBBOtherBrowser
https://2019.www.torproject.org/docs/faq.html.en#TBBSocksPort
https://2019.www.torproject.org/docs/faq.html.en#SocksAndDNS

April 07, 2020

Permalink

When I try to install TOR a pop up message comes up saying that the app I am trying to install is not Micro Soft verified and MS wants me to go to their app store. How does one get around this MS problem?