New Release: Tor Browser 9.5.1

by sysrqb | June 30, 2020

Tor Browser 9.5.1 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 68.10.0esr and NoScript to 11.0.32.

Also, this release features important security updates to Firefox.

The Windows installer is now code signed with a new Authenticode certificate. Please report any issues you encounter with this version.

The full changelog since Tor Browser 9.5 is:

  • All Platforms
    • Update Firefox to 68.10.0esr
    • Update NoScript to 11.0.32
    • Translations update
    • Bug 40009: Improve tor's client auth stability
  •  Windows + OS X + Linux
    • Bug 34361: "Prioritize .onion sites when known" appears under General
    • Bug 34362: Improve Onion Service Authentication prompt
    • Bug 34369: Fix learn more link in Onion Auth prompt
    • Bug 34379: Fix learn more for Onion-Location
    • Bug 34347: The Tor Network part on the onboarding is not new anymore

Comments

Please note that the comment area below has been archived.

July 01, 2020

In reply to sysrqb

Permalink

i'll collect the IPs first and then i'll check if they are listed in torstatus.
what can it be? some dirauth traffic or a new (de)centralized user-IP collecting service?

July 01, 2020

In reply to sysrqb

Permalink

OP
my firewall is blocking everything except the traffic to my entrynodes.
tor is trying to connect to a random node once - no retry - short after launch and
before the firefox window pops up. happens within 'Bootstrapped 15%'.
there is no error message in the console. it looks like tor tries to send a ping.

95.128.43.164 not listed in torstatus
171.25.193.20
54.36.237.163
86.105.212.130
81.7.14.253
163.172.194.53
54.37.139.118
185.100.86.182
163.172.176.167
163.172.149.155
213.183.60.21
193.70.43.76
212.47.229.2
212.47.233.86
217.279.179.177 not listed in torstatus

July 03, 2020

In reply to sysrqb

Permalink

Could you explain what you mean by "offline relay"? Do you mean that if a node drops off Tor Network a few minutes before a Tor client neccessarily using partially out of date information tries to reach out to it, that could appear suspicious to someone worried about "phoning home"?

OP
Browser Console error message:
[Exception... "Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIAppStartup.secondsSinceLastOSRestart]" nsresult: "0x80004001 (NS_ERROR_NOT_IMPLEMENTED)" location: "JS frame :: resource:///modules/BrowserGlue.jsm
:: _collectStartupConditionsTelemetry :: line 1547" data: no]...............................BrowserGlue.jsm:1547:9

_collectStartupConditionsTelemetry resource:///modules/BrowserGlue.jsm:1547
BG__onFirstWindowLoaded resource:///modules/BrowserGlue.jsm:1649
BG_observe resource:///modules/BrowserGlue.jsm:847
_delayedStartup chrome://browser/content/browser.js:2127
_delayedStartup self-hosted:1003

_collectStartupConditionsTelemetry ???
are you collecting startup conditions information over a random tor circuit?

The default behavior of Firefox is to collect telemetry on users. Tor Browser disables that behavior, or at least tries to.

With every new Firefox release the telemetry gets more invasive. Tor team must review the code each time to remove the telemetry. While it is possible they might have missed something (because humans are fallible) simply having the word 'telemetry' in an output string doesn't mean its actually connecting to anything. They probably just forgot to remove that output.

More testing amongst many users would be good, to verify this is the case.

i configured my entrynodes. they were not selected randomly. i edited torrc and the state-file to:
Guard in=default rsa_id=...........nickname=example1.......
Guard in=default rsa_id=...........nickname=example2.......
Guard in=restricted rsa_id=......nickname=example1.......
Guard in=restricted rsa_id=......nickname=example2.......
there was no additional (or random) traffic necessary to fetch the concensus and this worked over years.
(i know a state-file in a fresh install is different to my one.)
my firewall (IP-based) is blocking this mysterious traffic. nothing else than my entrynodes are allowed.
happens on a fresh install too. it must have to do with your recent changes in 9.5.1. i never had this before.
either tor is trying to send a ping or tor is trying to send data to a collector service or tor tries to fetch some
additional information. TBB works properly without this traffic and i would like to know what it is and how to turn it
off.

This sounds like expected behavior. I'm surprised you haven't seen this previously. The way you are configuring the entry nodes does not enforce only using those nodes. Occasionally tor connects to other entry nodes (in addition to the nodes listed in the state file).

You don't, that is a terrible hack. Explicitly configure the nodes you want in the torrc file as EntryNodes. If you really, really only want to use a small set of entry nodes then use bridges.

OP
StrictEntryNodes 1 or StrictNodes 1 is not applied before, after EntryNodes, on top or at the bottom
of torrc or torrc-defaults. where to put this expression not to be ignored or break tor?

July 01, 2020

In reply to sysrqb

Permalink

i've checked a few IPs. not all of these random nodes are listed in torstatus.
why is tor trying to connect? they are not part of my torrc or state-file.

I am not sure about Tor Browser on some OS such as Windows, but Tails certainly expects users to use onion sites, for which it is important that the clock be accurate, so in past editions, when starting Tails, one could see NTP protocol while the Tor client was connecting to the Tor network. In more recent editions, everything seems to be going through Tor, so perhaps trying Tails (tails.boum.org) will alleviate these "phone home" concerns.

Tails uses the same Tor Browser as is available from the torproject.org download page. If there are *any* connections being established without using tor, then that must be fixed.

July 01, 2020

Permalink

when i have the latest update, tor will not let me on. i am running Widows 7; is that a problem?

July 01, 2020

Permalink

Are updates automatically installed over the Tor network? Does the update installer honor configuration like bridges and proxies?

Yes, the update is downloaded over Tor (and the integrity of the downloaded file is checked before the update is applied). The update should not modify the configured bridges or proxies.

July 01, 2020

In reply to sysrqb

Permalink

Thanks for the response, but are the updates themselves downloaded over Tor using the specified bridges or proxies? Would the download itself bypass any of these settings?

July 01, 2020

In reply to sysrqb

Permalink

Is the integrity (hash sum) file fetched on the same circuit as the update file? Are the update and the integrity file downloaded from onions or through exit nodes?

Downloading an update requires multiple steps. Every server is contacted as a DNS hostname (or IP address) over HTTPS, none of them use onion services (yet).
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/172…

1) Tor Browser contacts server "A" and asks if an update is available. If there is an update, then server "A" responds with metadata about the update file (a URL for that file, the size of the file, the SHA512 hash of the file).
2) Tor Browser follows the provided URL and connects to server "B" and downloads the file
3) Tor Browser verifies the size of the file and sha512 hash of the file are as expected
4) Tor Browser verifies the cryptographic signature on the file. Tor Browser has two public keys hard-coded for which signatures on updates will be accepted.

The update is installed after all checks pass.

July 01, 2020

Permalink

This site glitches if I try posting a comment on the safest security level. I'm on Windows and using 9.5.1, but this issue has been around since 9.5.

This is unlikely to be fixed anytime soon (just as it hasn't been fixed in the last 3 years). Moving to a new blog platform is more likely. Javascript is a de facto requirement on the web now. If you don't want to browse the web with javascript enabled, then that is your choice. The Tor Project puts a lot of effort into making its websites operate seamlessly without javascript available, but sometimes that isn't possible. Unfortunately Drupal is a beast, and solving this problem is not easy. If you want to leave a comment but you don't want to enable javascript, then you should investigate using Tails.

July 03, 2020

In reply to sysrqb

Permalink

(Not the OP)

I am using Tails 4.8 and just to be clear, to avoid getting caught in an endless loop in which the blog software tries to continually reload the page, you need to drop down from "Safest" to "Safer" in the Tor Browser.

However, I second the recommendation to use Tails (see tails.boum.org). Journalists, activists, political staffers, local and regional government officials, high school students, employees of companies fond of spying on their workforce, all kinds of people should use Tails for everything online (and probably many things offline too).

July 01, 2020

Permalink

Windows digital sign check fails for installer, proceed with caution until developers give explanations.

Can you provide the version of Windows you are using? The installers for this version are signed with a new Windows signing certificate (the new certificate was originally tested in the previous alpha version: 10.0a1).

July 01, 2020

Permalink

Re-downloaded it today and passed the sign verification, I had the first download right after it appeared on https://dist.torproject.org yesterday but failed. But please explain why it originally failed and how the signing process works now.

Ah. I see. Yes, before the 9.5.1 was officially released the .exe installers were originally signed using the old signing certificate. This installers were re-signed with the new, valid certificate before the new version was announced.

July 01, 2020

Permalink

For quite a while now, the Windows' Torbrowser seems to forget/erase DuckDuckGo searches, so that if a link is clicked in a search and it proves no good, when the browser back button is clicked to go back to the search, DuckDuckGo reverts to a blank starting page, not the previous search results. Very annoying and inconvenient. Is this a cache thing or is there some setting in config that can be changed?

(It does not affect the Android version of TorBrowser, strangely enough)

this is what I figured the cause was as well

When you search from the address bar your search terms are sent in a POST request to https://duckduckgo.com/, but when you search from the website they're sent in a GET request to https://duckduckgo.com/?q=your+search+terms. When you click the back button, it doesn't do the same POST request, so instead of searching it just brings you to the DuckDuckGo homepage.

July 03, 2020

In reply to sysrqb

Permalink

I always thought that refusing to reload search pages was a feature, not a bug!

This happens on Startpage too. I think it's a privacy feature of the site, (cache-control: max-age=1), so that searches aren't saved in browser history or restore tabs for example. Sometimes I actually get a "Document Expired" error, and reloading the page goes back to the home page.

July 01, 2020

Permalink

Running a fully updated version of the current release of fedora.

Got the notice several hours ago about the new version 9.5.1 of Tor Browser and clicked the up arrow icon to restart to update.

a small alert window with a progress bar says something like "tor is installing your updates..." and very quickly it finishes and disappears and tor browser opens. But the version still says 9.5 and when I click View Changelog is still says Release Date June 2 2020.

I tried closing and opening tor browser several times several hours ago and again now, but it doesn't actually update. I saw similar behavior the last couple updates, too, but after restarting one or two times then the update worked.

Thank you to your team, I love using Tor & Tor Browser.

Your description sounds like there is a failure in the applying the update. Tor Browser downloads an update and verifies its integrity. After that is successful, the browser notifies you that an update is available and restarting the browser will install it. When the browser restarts, it tries applying the update. When this process fails, then the browser remains on the current version.

You may find a useful/informative log file in the Tor Browser directory under Browser/TorBrowser/UpdateInfo/updates/last-update.log. Some more details can be found on this page https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Platform_I…

Do you see that file and any errors in that file?

Thanks for your answer. Here's the content of the update log:

PATCH DIRECTORY /home/x/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/UpdateInfo/updates/0
INSTALLATION DIRECTORY /home/x/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser
WORKING DIRECTORY /home/x/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser
UPDATE TYPE partial
PREPARE PATCH updater
PREPARE PATCH tbb_version.json
PREPARE ADD removed-files
PREPARE ADD precomplete
[...]
EXECUTE PATCH libxul.so
### execution failed

[edited: trimmed content]

July 04, 2020

In reply to sysrqb

Permalink

Yes, the last two lines are:
failed: 64
calling QuitProgressUI

The last several lines before that are:

FINISH PATCH browser/features/onboarding@mozilla.org.xpi
backup_restore: cannot get info for backup file: browser/features/onboarding@mozilla.org.xpi.moz-backup, err: 2
FINISH PATCH browser/blocklist.xml
backup_restore: cannot get info for backup file: browser/blocklist.xml.moz-backup, err: 2
FINISH PATCH application.ini
backup_restore: cannot get info for backup file: application.ini.moz-backup, err: 2
FINISH PATCH TorBrowser/Tor/tor
backup_restore: cannot get info for backup file: TorBrowser/Tor/tor.moz-backup, err: 2
FINISH PATCH TorBrowser/Docs/ChangeLog.txt
backup_restore: cannot get info for backup file: TorBrowser/Docs/ChangeLog.txt.moz-backup, err: 2
FINISH ADD TorBrowser/Data/Browser/profile.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
backup_restore: cannot get info for backup file: TorBrowser/Data/Browser/profile.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi.moz-backup, err: 2

Thanks. That "failed:" number indicated the update failed while it tried writing an updated version of a file onto your hard drive. As the below comment suggests, this could be due to having insufficient disk space for the new version. Firefox (and Tor Browser) do not handle this situation well.

July 01, 2020

Permalink

Hi,

The browser does not open and sometimes even if it opens the tab crashes. The OS is Windows 8.1 Pro, 64 bit and Antivirus is Quick Heal Internet Security Essentials. I tried disabling the antivirus, firewall but nothing seems to work. Please help...

July 04, 2020

In reply to sysrqb

Permalink

" trade-off: break the web or reveal the OS. "

That's no explanation for i'm forced to reveal the real OS, especially with Javascript on.
Suddenly, the devs switch off this Anti-Fingerprinting Defense.
ALL older versions have had this feature and it's strange to make it impossible to spoof the usaeragent.

July 03, 2020

Permalink

--
Hello! Need some help:

There is a discussion with OpenNet-site owner to provide onion-mirror of the site - https://www.opennet.ru/openforum/vsluhforumID4/591.html
It looks like OpenNet is already quite friendly to Tor-users, unfortunately owner is quite conservative and requests the reasons to run onion-service. Have to say I share some his concerns and thus I did a brief web-search:

https://community.torproject.org/onion-services/
--
What are Onion Services?
Onion services are services that can only be accessed over Tor.
Running an onion service gives your users all the security of HTTPS
with the added privacy benefits of Tor Browser.
--

https://riseup.net/en/security/network-security/tor/onionservices-best-…
--
Onion services don’t need to be hidden!
You can provide a onion service for a service that you offer publically on a server that is not intended to be hidden.
Onion services are useful to protect users from passive network surveillance,
they keep the snoopers from knowing where users are connecting from and to.

--
Ask your favorite online service to provide an onion service!
Advocate for more onion services by asking those who provide the services that you use to make them available.
They are easy to setup and maintain, and there is no reason not to provide them!
--

Summarizing the above - onion-version of OpenNet may
* bring some (what?) "added privacy benefits" to users.
* "keep [the evils] from knowing where users are connecting from"
- Could you please say - What did I miss?

Concerning RiseUp's "there is no reason not to provide them" - the site-owner argues that extra functionality potentially increase number of vectors for attacks. Thus "there is no reason not to" - is not a reason to do :-)

Could anybody provide more arguments for adding onion-service?

Personally I see the reason to keep a browsing within TorNetwork
* to avoid ClearNet DNS-requesrs and
* (probably) avoid pumping Web-traffic via any of TorExitNodes (as ones are potentially more risky?).
- so this is all about "to protect users", are there any other reasons?
Dos it mean that all the onion-stuff is about - "to protect users"? Does onion-version protects users sufficiently better than Tor+HTTPS?

Also unfortunately https://www.eff.org/pages/tor-and-https does not illustrates the situation with onion-services.
So -
* What are benefits of visiting site-onion-version over Tor+HTTPS for users?
* Are there pitfalls of keeping site-onion-version for site maintainers?

Also https://community.torproject.org/onion-services/overview/
provides some descriptions -
* "Location hiding" - it is not hidden site, seems like unnecessary for this situation
* "NAT punching" - not sure about, seems like unnecessary for this situation
* "End-to-end authentication" - i.e. about avoiding DNS-attacks and MITMs
* "End-to-end encryption" - i.e. strong crypto

Are there any advocates to help to point to extra reasons to prepare onion-service of opennet.ru?
--

July 04, 2020

Permalink

My Tor Browser reveals all the fonts that I have when I have JavaScript enabled. For that reason, I can't enable JavaScript or else my fingerprint is in fact very unique according to EFF Panopticlick and others. What can I do?

It does not, Tor Browser only reveals a small amount of installed fonts. See the following information at https://2019.www.torproject.org/projects/torbrowser/design/#fingerprint… (search for "6. Fonts"):

"For Windows and macOS we use a preference, font.system.whitelist, to restrict fonts being used to those in the whitelist. This functionality is provided by setting privacy.resistFingerprinting to true. The whitelist for Windows and macOS contains both a set of Noto fonts which we bundle and fonts provided by the operating system. For Linux systems we only bundle fonts and deploy a fonts.conf file to restrict the browser to use those fonts exclusively. In addition to that we set the font.name* preferences for macOS and Linux to make sure that a given code point is always displayed with the same font. This is not guaranteed even if we bundle all the fonts Tor Browser uses as it can happen that fonts are loaded in a different order on different systems. Setting the above mentioned preferences works around this issue by specifying the font to use explicitly. "

July 04, 2020

Permalink

TorBrowser for Android: after version 9.5 finally stopped leaking locale in the http_accept headers, version 9.5.1 unfortunately shows this behavior again. Why?

July 04, 2020

Permalink

HELLO everyone.

How can I fully turn off telemetry and associated things? Because in last update settings like "allow Mozilla collect data..." got removed from setting`s panel and how I understood due to comments session - its now switched on by default...

July 05, 2020

Permalink

Yo sooo for some reason I have a bug that whenever I open links from other apps like let's say I oppend a link from an email tor will not load the link even if I refresh it

July 05, 2020

Permalink

Scan Started Wed May 20 04:38:00 2020 (ClamWin Antivirus+ClamSentinel active shield)
C:\...\torbrowser-install-9.5a12_en-US((32bit)).exe: Win.Malware.Nymeria-6913499-0 FOUND
C:\...\torbrowser-install-9.5a12_en-US((64 bit)).exe: Win.Malware.Nymeria-6913499-0 FOUND
What about that?

July 05, 2020

Permalink

If http download via Tor Browser itself doesn't work, what is the fallback?

In recent weeks I have often experienced the following while trying download various files in various formats from various sites, including TBB 9.5.1 from this site (both the www and onion version), using Tor Browser:

Initially the download seems to be proceeding normally, but when it is about 90% complete (independent of file size) the connection is severed. Clicking "reload" sometimes starts from byte 0 and then fails, and sometimes loads a few more bytes and then fails.

In such cases I have only been able to obtain the file using

torify wget -c ""

but this does not work for onion sites.

Three questions:

o is there an innocuous explanation for these download failures?

o can Tor Project suggest a workaround?

o seeing the "onion available" notice at right in the URL pane is very nice feature, but shouldn't (left? right?) clicking on that notice load the onion version? This does not seem to work for me.

July 06, 2020

Permalink

it's not working well on macos Big Sur beta , whatever website i open it shows a blank page , it loads the page but everything is hidden

July 09, 2020

Permalink

I think this topic is an ongoing issue; please correct if I am wrong. I want privacy/safety as we all do. Adjusting script threshold lower does not sound like a good idea (to me). Can you somehow shorten or eliminate the devilish NoScript warning that leaps onto the screen filling and covering the page that I am looking at and then getting smaller although still covering my work? It doesn't seem to care what site I am on and affects my using the computer. It happens too often and is always annoying. I get to where picking the choices is not as good as just x'ing it out. Give it some thought. Thank you.

July 13, 2020

Permalink

Thank you Tor Project for the amazing work you do! We love you!

It seems TB 9.5.1 is allowing ads through, and suggests terms when I start typing in the url field: things that the previous TB version I had did not do. This is even on "Safest" security settings. I know how to change these behaviors, but I generally never modify TB's settings, as it makes me more unique. Are these changed behaviors known and on purpose? This is on Linux Mint 19.3 and 20 with TB 9.5.1.

July 26, 2020

Permalink

For the last 2 releases there's been a large border around the browser. The thickness of this border depends on the width and height of the browser. When the browser is in full screen, the left and right borders are pretty wide and the bottom one is extremely wide (I would guesstimate it to be about 10% of the window height).

Here are a few notes from some troubleshooting I've done.

  • I have tried with the light, dark and default themes and the issue persists.
  • This issue is present no matter the website I'm on (onion or not), but isn't when I'm on Tor browser option pages.
  • Zooming in and out doesn't do anything.