New Release: Tor Browser 9.0.9

Tor Browser 9.0.9 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 68.7.0esr, NoScript to 11.0.23, and OpenSSL to 1.1.1f.

Also, this release features important security updates to Firefox.

The full changelog since Tor Browser 9.0.8 is:

  • All Platforms
    • Update Firefox to 68.7.0esr
    • Bump NoScript to 11.0.23
    • Bug 33630: Remove noisebridge01 default bridge
  •  Windows + OS X + Linux
    • Bug 33771: Update some existing licenses and add Libevent license
    • Bug 33723: Bump openssl version to 1.1.1f
  • Windows

> The reason for stopping Tor Messenger has nothing to do with FBI.

I'm not saying that I believe the official reason was a lie, but everyone who works with TP needs to know that because of the way the feds use NSLs and other administrative subpoenas which come with eternal gag orders, only Isa (and possibly a lawyer) would know TP has received an order which can never be discussed.

Riseup users will no doubt recall that this is exactly what happened when Riseup was served. (It has never been explained why Riseup was served. Twice. So far. That we know of.) Most people never knew anything about it, and even when alert users started asking why the "warrant canary" had mysteriously not been renewed as had always happened in previous quarters, there was total silence. Which alert users interpreted (correctly as it turned out) to mean that Riseup was acting under compulsion against the best interests of its thousands of endangered users all over the world.

This is why the adamant refusal of Tor Project to discuss certain concerns is worrisome.

In particular, in the past, Tor Project has vowed (although not recently), "we will never insert a backdoor into Tor". This vow sounds good but it is essentially meaningless unless

A. TP explains what is the plan if the US Congress passes a law such as the EARN-IT Act which would appear to legally mandate some kind of "backdoor" in all encryption used in US jurisdictions,

B. a suitably broad definition of the word "backdoor" is stated.

If TP's definition of "backdoor" is "obviously malicious covert access code openly inserted into the source code of Tor client or server software", then the vow carries little weight because NSA is not likely to do something so idiotic as telling the people they want to spy upon that they are spying. (Some national spy agencies like do that kind of thing, but USIC traditionally cares very much that their victims not be aware of what the spooks are seeing/stealing.)

Rather, NSA (or FBI or other agencies with overbroad powers) is likely to quietly cripple some part of Tor infrastructure such as

(i) critical "upstream" code, e.g. by forcing developers of a pseudorandom number generator to change a parameter which nonobviously weakens the PRNG, with a gag order preventing them from telling anyone that they were forced to make a seemingly minor change which immediately would look very suspicious if the devs could only say "NSA made us do it; we don't know why",

(ii) forcing producers of operating systems to fail to fix something as dangerous as the Shellshock bug,

(iii) forcing chip manufacturers to include some microscopic undocumented feature which enables covert remote access by "the authorities" (similar to what some experts claim to believe the CN government does with Huawei hardware, and also similar to a massive up-scaling of the covert diversion of hardware to secret NSA sites where covert "implants" are inserted into a hardware device such as a server (the kind of deep intrusion which is impossible to remove, but which is thought to require physical access to the device).

In the same way, when TP appears to be uninterested in pursuing reports of what might be a serious problem, people worry that someone is ordering you to ignore the issue.

This fear is not in any way an imputation against the character of anyone associated with TP, since everyone needs to understand that it is hardly fair to ask any person to risk spending the rest of their life in prison (which is pretty much what the NSL statute says will happen to anyone who violates a gag order) just because they believe in a good cause.

That said, I continue to hope that if USG does attempt to bully key Tor people, that someone will show the kind of extraordinary courage which Snowden possessed. And I believe that if someone simply calls a press conference and displays the NSL in defiance of the gag order, the government will back down with a weak excuse (typically "the new guy made a mistake; it turns out we never needed the information asked for the NSL you received so forget the whole thing please"). This kind of excuse virtually begs for a class action lawsuit, but all such suits are tossed by a court system which is all to well aware that judges too can be spied upon by NSA, a thought which terrifies them into spinelessness.

Stay well, and please try hard to protect endangered users even if EARN-IT is enacted.

Some of the things we do to make it possible to check that there is no backdoors are:
- publishing all the source code of the software we distribute
- doing reproducible builds: https://blog.torproject.org/deterministic-builds-part-one-cyberwar-and-…

I know nothing about this EARN-IT Act you are mentioning, but maybe that's something you want to discuss with EFF.

When I replied as above to boklm, I did not yet know about the layoffs. Obviously, I am frustrated by the repeated refusal over years for Tor Project to engage in meaningful discussion of the challenge of preventing USG from quietly crippling Tor in some way which does not fit a too-narrow definition of "backdoor". To reiterate:

Publishing the source code has real value, and reproducible builds is an enormous advance. But these things are not enough to make it hard for USG to cripple Tor by crippling some essential part of the Tor infrastructure which is not part of the openly published Tor code at all. That's what I am worried about.

Further, if EARN IT Act becomes law in the USA, Tor may be forced to remain silent about some nonobvious critical flaw in the Tor code itself which it is not allowed to fix. I would hope indepedent researchers would notice any such flaw, but let's not kid ourselves.

All that said, many thanks to Tor people for continuing to provide Tor in the face of many obstacles. Stay safe, don't let the virus or the USG get you!

The following US caselaw precedent will be critical for Tor Project because it concerns the question of how/whether USG can coerce an internet service provider or software provider into breaking its own encryption so that USG agents can spy on users:

https://www.eff.org/press/releases/hearing-tuesday-eff-aclu-and-cyberse…
Hearing Tuesday: EFF, ACLU, and Cybersecurity Expert Ask Court to Unseal Ruling Denying DOJ Effort to Break Encryption
Government Sought Facebook Messenger Voice Calls
Press Release
27 Apr 2020

> Seattle, Washington—On Tuesday, April 28, at 9 am, Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), and Stanford cybersecurity scholar Riana Pfefferkorn will ask a federal appeals court to embrace the public’s First Amendment right to access judicial records and unseal a lower court’s ruling denying a government effort to force Facebook to break the encryption of its Messenger service.
>
> Media widely reported in 2018 that a federal court in Fresno, California, denied a government request that would have required Facebook to compromise the security and privacy promised to users of its Messenger application. But the court’s order and details about the legal dispute have been kept secret, preventing people from learning about how DOJ sought to break Facebook’s encryption, and why a federal judge rejected those efforts.
>
> ACLU Surveillance and Cybersecurity Counsel Jennifer Granick will argue on behalf of EFF, ACLU, and Pfefferkorn that the public has a right to know when and how law enforcement tries to compel a company—one that hosts millions of people’s private communications—to circumvent its own security features and hand over the contents of its users’ voice calls and other private conversations. This is especially important now, as the Justice Department has repeatedly said that it wants access to encrypted communications, a position that endangers people’s privacy and undermines the security of everyone’s information.

A thousand thanks to Wired for having the courage to warming recommend Tor Browser and Tails for those seeking health, peace, security, and privacy in time of pandemic!

wired.com
How to Cover Your Tracks Every Time You Go Online
Online tracking can often feel downright invasive. From using VPNs to clearing browser histories, we've got your back.
12 Apr 2020

> If you need some serious privacy for your web browsing, you've got yet more options to turn to. For maximum protection, switch to the Tor browser, which works a little like a VPN: It bounces your browsing around different servers across the world, making it very hard for anyone to link your activity back to you.
> The Tor browser also keeps an extra eye out for plug-ins and other web code that can reveal your location; it can even be used to browse the web in a country where the internet is being censored. Your browsing will be a little slower as a result of all this extra protection, but you might well consider it worth it.
> If you want to go further, Tails OS is an entire operating system built around the Tor browser, which you can run from a USB stick. The idea is that you've got an incognito mode for your entire system—every time you boot it up, it's like you're booting it up for the first time. (Tails stands for The Amnesiac Incognito Live System.)
> There's a full guide to installing and using Tails OS here, and whenever you need that extra level of security, restart your computer and boot from the USB drive rather than your normal operating system. You can even use a Tails OS USB drive to work on other people's computers and leave no trace behind.
> Even with Tor and Tails OS, be cautious about what you do online. If you log into Facebook and then press Like on a local flower shop, Facebook and its advertisers are still going to know you like flowers, even if no record is left on your device.

> incluyera una extension para traducir

Las extensiones de traducción envían las URL completas y el texto de las páginas que está leyendo a un tercero. ¿Quieres dar copias automáticas de tu historial de navegación a Google? ¿Qué pasa con los idiomas asiáticos?

> cuando pongo mayor seguridad no pueod ver video ni imaganes.

Tor Browser viene con el complemento NoScript. El nivel de seguridad cambia los permisos del sitio web en la configuración de NoScript.
https://tb-manual.torproject.org/es/security-settings/
https://support.torproject.org/es/
Puede cambiar el idioma en la parte superior de la página.

Aquí hay un hilo de comentarios anterior que pregunta cómo ver videos. Esta en ingles.
https://blog.torproject.org/comment/286855#comment-286855

> me gustaria que lanzaran una aplicacion de chat de mensajeria igual que signal messenger

https://support.torproject.org/es/tormessenger/

Anonymous

April 09, 2020

Permalink

"Tor Browser 9.0.9 is now available from the Tor Browser download page"

No it's not. The link is broken.

Anonymous

April 09, 2020

Permalink

Not really:

Found

The requested URL was not found on this server.
Apache Server at dist.torproject.org Port 443

A minor tails bug (I know, I know, Tor is not Tails Project): when I download multiple PDFs, when I open the first one with a viewer, the app crashes. After that it works. Suspect something to do with mishandling those pesky un-needed but hard to expunge thumbnails.

Thought I'd mention it in case someone else has noticed this.

Anonymous

April 09, 2020

Permalink

* Using TBB 9.0.8 *

Help->About-> "Update failed." "Download the latest version"

Then in top/right hand corner of the screen I see a popup:

"Tor Browser can't update to the latest version."

"Download a fresh copy of Tor Browser and we'll help you to install it."

Why won't it auto update like it used to? This makes me a sad monkey.

> One of your mirrors is having an issue. We are working to fix it soon.

Thanks for the response. After clicking and clicking and giving up, I launched Help->About once more and it said to restart to apply changes... so I did and the upgrade worked. There was no countdown to update like usual....I don't know how or why, but this pleases me because it finally upgraded!!

Sad monkey is now h/\ppy monkey!

Anonymous

April 09, 2020

Permalink

Before this update, I was using psiphon+Tor to bypass consership, but after this, it doesn't work anymore, is there a ticket for this?

Anonymous

April 09, 2020

Permalink

Just wanted to say a big thanks to you all for the hard work keeping up with all the firefox security updates :)

Anonymous

April 09, 2020

Permalink

Cannot torrent anymore.
When you click on 'Get this Torrent' on any site it opens a new blank tab that says: about:blank

It works for me. It's likely your site has a problem, or your security level is interfering. Try right click, Copy link location. Getting a .torrent meta file or information doesn't mean torrenting it.

Tor Browser is not a torrent client so it was never possible to torrent using it.
If you want to download torrents using torrent client then right click on 'Get this Torrent', click Copy Link Location, then open your Torrent Client and add a new download, paste the copied link.
If you want to download torrents using the Tor network, the recommended way is to use Whonix virtual machine https://whonix.org just start torrent client inside the virtual machine.

Anonymous

April 10, 2020

Permalink

Hi
There is a problem when watch a video on Youtube in this update .
A white page appear in the bottom of the video page . PLEASE fix it soon .

I'm seeing this, too, on Youtube's player. Pause or hover the mouse on the video, and the bottom half becomes white. It started after I installed TB 9.0.9, but it could be something Youtube has done.

I know it's not a fix but until Tor Browser gets fixed you can use youtube-dl software to watch videos
install this https://yt-dl.org/
then call it with option --proxy "socks5://127.0.0.1:9150"
youtube-dl --proxy "socks5://127.0.0.1:9150" HERE_LINK_TO_THE_VIDEO
this will download video to your disk, you can then use any video player to watch it

As long as you don't get hit with a captcha. It usually takes me 4-6 new identities. I have a feeling youtube-dl is the reason that many of the exit nodes are capcha'd by Youtube/Google. The captcha page says something about "you or someone on your network is using an unoffical Youtube app. Unofficial apps may track you, contain malware, or wear down your battery, and use of unoffical apps violates our terms of service. Make sure you use only the official YouTube app from the Android/iOS app store, or the Youtube website in your browser." Sounds to me like they're blocking apps that people use to download or view videos without ads.

Invidious is an alternative front-end to YouTube https://invidio.us

Audio-only mode (and no need to keep window open on mobile)
Free software (AGPLv3 licensed)
No ads
No need to create a Google account to save subscriptions
Lightweight (homepage is ~4 KB compressed)

Tools for managing subscriptions:
Only show unseen videos
Only show latest (or latest unseen) video from each channel
Delivers notifications from all subscribed channels
Automatically redirect homepage to feed
Import subscriptions from YouTube

Dark mode
Embed support
Set default player options (speed, quality, autoplay, loop)
Does not require JS to play videos
Support for Reddit comments in place of YT comments
Import/Export subscriptions, watch history, preferences
Does not use any of the official YouTube APIs

See Invidious Instances for a full list of publicly available instances. https://github.com/omarroth/invidious/wiki/Invidious-Instances

Official Instances
https://invidio.us/
kgg2m7yk5aybusll.onion
axqzx4s6s54s32yentfqojs3x5i7faxza6xo3ehd4bzzsg2ii4fv2iid.onion

Anonymous

April 10, 2020

Permalink

Hi! I have ran into problems with watching videos on (youtube), this should work out of the box with html5 but there seem to be an issue because it is hiding away half of the screen when scrolling up or pausing the video.

hope this can be fixed soon, thx in advance.

Anonymous

April 10, 2020

Permalink

I will go back and continue using the older version of tor browser until the issue with watching youtube videos have been fixed.

Anonymous

April 10, 2020

Permalink

Hi again guys, so i went back to the 8.0.8 version to get rid of the youtube video issue where half the screen disapears and the problem is even in the old version. so i have no idea what is causing this to happen. i had no issues watching html5 videos on youtube until yesterday. could it be google screwing something up?

fk this is annoying. havent made any new updates on the distro, but it accured just a moment after my latest tor browser update. but if it is caused by a bug in 9.0.9 it shouldnt show up in older versions of tor. this is soo frustrating.

any idea on how to fix this or what might cause half the screen to go white when scrolling up or holding mouse arrow on the video? thx in advance

Anonymous

April 10, 2020

Permalink

Hello from Win7 32bit - after upgrade to TBB 9.0.9 - YouTube plays video incorrectly - only top half is visible, bottom half is BLANK (also there is reaction on mouse-over\mouse-out - as the workaround - video view becomes ok). Please see the image - https://ibb.co/X5wm6Bk
Also the issue may be related to Google-Youtube scripts? I did not checked 9.0.8 TBB version.