New Release: Tor Browser 9.5.1

Tor Browser 9.5.1 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox to 68.10.0esr and NoScript to 11.0.32.
Also, this release features important security updates to Firefox.
The Windows installer is now code signed with a new Authenticode certificate. Please report any issues you encounter with this version.
The full changelog since Tor Browser 9.5 is:
- All Platforms
- Update Firefox to 68.10.0esr
- Update NoScript to 11.0.32
- Translations update
- Bug 40009: Improve tor's client auth stability
- Windows + OS X + Linux
- Bug 34361: "Prioritize .onion sites when known" appears under General
- Bug 34362: Improve Onion Service Authentication prompt
- Bug 34369: Fix learn more link in Onion Auth prompt
- Bug 34379: Fix learn more for Onion-Location
- Bug 34347: The Tor Network part on the onboarding is not new anymore
software certificate from…
software certificate from TBB9.5.1 for mswindows is outdated.
This blog post should be at…
This blog post should be at the top of the page. Thank you for the update.
When is 78 based coming?
When is 78 based coming?
Soon.
Soon.
CAUTION! tor is phoning home…
CAUTION!
tor is phoning home. unwanted traffic to different IPs early after every launch.
Can you provide any more…
Can you provide any more details than this very vague (and harmful) statement?
i'll collect the IPs first…
i'll collect the IPs first and then i'll check if they are listed in torstatus.
what can it be? some dirauth traffic or a new (de)centralized user-IP collecting service?
Please provide the IP…
Please provide the IP addresses so we can help answer these questions.
OP my firewall is blocking…
OP
my firewall is blocking everything except the traffic to my entrynodes.
tor is trying to connect to a random node once - no retry - short after launch and
before the firefox window pops up. happens within 'Bootstrapped 15%'.
there is no error message in the console. it looks like tor tries to send a ping.
95.128.43.164 not listed in torstatus
171.25.193.20
54.36.237.163
86.105.212.130
81.7.14.253
163.172.194.53
54.37.139.118
185.100.86.182
163.172.176.167
163.172.149.155
213.183.60.21
193.70.43.76
212.47.229.2
212.47.233.86
217.279.179.177 not listed in torstatus
95.128.43.164 - https:/…
95.128.43.164 - https://metrics.torproject.org/rs.html#details/616081EC829593AF4232550D…
217.279.179.177 - probably an offline relay
Did you configure the entrynodes or if your firewall allowing the IP addresses of the guards selected at random?
Could you explain what you…
Could you explain what you mean by "offline relay"? Do you mean that if a node drops off Tor Network a few minutes before a Tor client neccessarily using partially out of date information tries to reach out to it, that could appear suspicious to someone worried about "phoning home"?
Yes
Yes
OP Browser Console error…
OP
Browser Console error message:
[Exception... "Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIAppStartup.secondsSinceLastOSRestart]" nsresult: "0x80004001 (NS_ERROR_NOT_IMPLEMENTED)" location: "JS frame :: resource:///modules/BrowserGlue.jsm
:: _collectStartupConditionsTelemetry :: line 1547" data: no]...............................BrowserGlue.jsm:1547:9
_collectStartupConditionsTelemetry resource:///modules/BrowserGlue.jsm:1547
BG__onFirstWindowLoaded resource:///modules/BrowserGlue.jsm:1649
BG_observe resource:///modules/BrowserGlue.jsm:847
_delayedStartup chrome://browser/content/browser.js:2127
_delayedStartup self-hosted:1003
_collectStartupConditionsTelemetry ???
are you collecting startup conditions information over a random tor circuit?
The default behavior of…
The default behavior of Firefox is to collect telemetry on users. Tor Browser disables that behavior, or at least tries to.
With every new Firefox release the telemetry gets more invasive. Tor team must review the code each time to remove the telemetry. While it is possible they might have missed something (because humans are fallible) simply having the word 'telemetry' in an output string doesn't mean its actually connecting to anything. They probably just forgot to remove that output.
More testing amongst many users would be good, to verify this is the case.
i configured my entrynodes…
i configured my entrynodes. they were not selected randomly. i edited torrc and the state-file to:
Guard in=default rsa_id=...........nickname=example1.......
Guard in=default rsa_id=...........nickname=example2.......
Guard in=restricted rsa_id=......nickname=example1.......
Guard in=restricted rsa_id=......nickname=example2.......
there was no additional (or random) traffic necessary to fetch the concensus and this worked over years.
(i know a state-file in a fresh install is different to my one.)
my firewall (IP-based) is blocking this mysterious traffic. nothing else than my entrynodes are allowed.
happens on a fresh install too. it must have to do with your recent changes in 9.5.1. i never had this before.
either tor is trying to send a ping or tor is trying to send data to a collector service or tor tries to fetch some
additional information. TBB works properly without this traffic and i would like to know what it is and how to turn it
off.
This sounds like expected…
This sounds like expected behavior. I'm surprised you haven't seen this previously. The way you are configuring the entry nodes does not enforce only using those nodes. Occasionally tor connects to other entry nodes (in addition to the nodes listed in the state file).
OP ...and how to enforce…
OP
...and how to enforce using the nodes in state-file only?
You don't, that is a…
You don't, that is a terrible hack. Explicitly configure the nodes you want in the torrc file as EntryNodes. If you really, really only want to use a small set of entry nodes then use bridges.
OP ...and where to read…
OP
...and where to read about this 'hack'?
The configuration you…
The configuration you describe is strongly not recommended, so finding information about it is difficult. However, if you feel this is important then search the following web page for EntryNodes and StrictNodes.
https://2019.www.torproject.org/docs/tor-manual.html.en
OP StrictEntryNodes 1 or…
OP
StrictEntryNodes 1 or StrictNodes 1 is not applied before, after EntryNodes, on top or at the bottom
of torrc or torrc-defaults. where to put this expression not to be ignored or break tor?
i've checked a few IPs. not…
i've checked a few IPs. not all of these random nodes are listed in torstatus.
why is tor trying to connect? they are not part of my torrc or state-file.
torstatus is old. Check the…
torstatus is old. Check the IPs on https://metrics.torproject.org/ --> Relay Search or via the Onionoo API.
I am not sure about Tor…
I am not sure about Tor Browser on some OS such as Windows, but Tails certainly expects users to use onion sites, for which it is important that the clock be accurate, so in past editions, when starting Tails, one could see NTP protocol while the Tor client was connecting to the Tor network. In more recent editions, everything seems to be going through Tor, so perhaps trying Tails (tails.boum.org) will alleviate these "phone home" concerns.
Tails uses the same Tor…
Tails uses the same Tor Browser as is available from the torproject.org download page. If there are *any* connections being established without using tor, then that must be fixed.
torproject doesn't use…
torproject doesn't use ublock though?
Yes
Yes
The "important security…
The "important security updates to Firefox" link in the blog post seems to be broken.
Please check again. Mozilla…
Please check again. Mozilla delayed publishing their advisories due to an issue in FF78.
Thank You for an update.
Thank You for an update.
when i have the latest…
when i have the latest update, tor will not let me on. i am running Widows 7; is that a problem?
Can you provide any error…
Can you provide any error messages you receive?
i am running Widows 7; is…
for this issue idk, but in general yes: https://en.wikipedia.org/wiki/Windows_7#After_14_January_2020
Are updates automatically…
Are updates automatically installed over the Tor network? Does the update installer honor configuration like bridges and proxies?
Yes, the update is…
Yes, the update is downloaded over Tor (and the integrity of the downloaded file is checked before the update is applied). The update should not modify the configured bridges or proxies.
Thanks for the response, but…
Thanks for the response, but are the updates themselves downloaded over Tor using the specified bridges or proxies? Would the download itself bypass any of these settings?
No, the update file is…
No, the update file is downloaded using exactly the same configuration as Tor Browser uses for browsing websites.
Is the integrity (hash sum)…
Is the integrity (hash sum) file fetched on the same circuit as the update file? Are the update and the integrity file downloaded from onions or through exit nodes?
Downloading an update…
Downloading an update requires multiple steps. Every server is contacted as a DNS hostname (or IP address) over HTTPS, none of them use onion services (yet).
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/172…
1) Tor Browser contacts server "A" and asks if an update is available. If there is an update, then server "A" responds with metadata about the update file (a URL for that file, the size of the file, the SHA512 hash of the file).
2) Tor Browser follows the provided URL and connects to server "B" and downloads the file
3) Tor Browser verifies the size of the file and sha512 hash of the file are as expected
4) Tor Browser verifies the cryptographic signature on the file. Tor Browser has two public keys hard-coded for which signatures on updates will be accepted.
The update is installed after all checks pass.
cant login to some sites…
cant login to some sites anything uses can does?
Can you provide more details…
Can you provide more details about why you can't login?
This site glitches if I try…
This site glitches if I try posting a comment on the safest security level. I'm on Windows and using 9.5.1, but this issue has been around since 9.5.
That's probably https://trac…
That's probably https://trac.torproject.org/projects/tor/ticket/22530
Yes, that's it. So it's been…
Yes, that's it. So it's been happening since TB 7.0?
Please take a look at this bug: It's a high-priority and majorly severe problem.
Thanks from all of us high-security users.
This is unlikely to be fixed…
This is unlikely to be fixed anytime soon (just as it hasn't been fixed in the last 3 years). Moving to a new blog platform is more likely. Javascript is a de facto requirement on the web now. If you don't want to browse the web with javascript enabled, then that is your choice. The Tor Project puts a lot of effort into making its websites operate seamlessly without javascript available, but sometimes that isn't possible. Unfortunately Drupal is a beast, and solving this problem is not easy. If you want to leave a comment but you don't want to enable javascript, then you should investigate using Tails.
(Not the OP) I am using…
(Not the OP)
I am using Tails 4.8 and just to be clear, to avoid getting caught in an endless loop in which the blog software tries to continually reload the page, you need to drop down from "Safest" to "Safer" in the Tor Browser.
However, I second the recommendation to use Tails (see tails.boum.org). Journalists, activists, political staffers, local and regional government officials, high school students, employees of companies fond of spying on their workforce, all kinds of people should use Tails for everything online (and probably many things offline too).
Windows digital sign check…
Windows digital sign check fails for installer, proceed with caution until developers give explanations.
Can you provide the version…
Can you provide the version of Windows you are using? The installers for this version are signed with a new Windows signing certificate (the new certificate was originally tested in the previous alpha version: 10.0a1).
Re-downloaded it today and…
Re-downloaded it today and passed the sign verification, I had the first download right after it appeared on https://dist.torproject.org yesterday but failed. But please explain why it originally failed and how the signing process works now.
Ah. I see. Yes, before the 9…
Ah. I see. Yes, before the 9.5.1 was officially released the .exe installers were originally signed using the old signing certificate. This installers were re-signed with the new, valid certificate before the new version was announced.