New Release: Tor Browser 9.0.1

by boklm | November 05, 2019

Tor Browser 9.0.1 is now available from the Tor Browser download page and also from our distribution directory.

Tor Browser 9.0.1 is the first bugfix release in the 9.0 series and aims to mostly fix regressions and provide small improvements related to our 9.0 release. Additionally, we are adding a banner on the starting page for our fundraising campaign Take Back the Internet with Tor.

Known Issue

For each new release, two members from our team are building the release separately and compare the result to make sure that it is reproducible. For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic. As a workaround for this issue, we had to do multiple builds until we got matching builds. You might need to do the same if you are trying to reproduce our build.

Note: due to some delay with the signing, the Android version is not yet available. We expect to be able to publish the signed Android version in a few hours. Update: the Android version has been published.

ChangeLog

The full changelog since Tor Browser 9.0 is:

  • All Platforms
    • Update NoScript to 11.0.4
      • Bug 21004: Don't block JavaScript on onion services on medium security
      • Bug 27307: NoScript marks HTTP onions as not secure
    • Bug 30783: Fundraising banner for EOY 2019 campain
    • Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
    • Bug 27268: Preferences clean-up
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.2
      • Bug 32164: Trim each received log line from tor
      • Translations update
    • Bug 31803: Replaced about:debugging logo with flat version
    • Bug 31764: Fix for error when navigating via 'Paste and go'
    • Bug 32169: Fix TB9 Wikipedia address bar search
    • Bug 32210: Hide the tor pane when using a system tor
    • Bug 31658: Use builtin --panel-disabled-color for security level text
    • Bug 32188: Fix localization on about:preferences#tor
    • Bug 32184: Red dot is shown while downloading an update
  • Android
    • Bug 32342: Crash when changing the browser locale
Tags
tor browser
tbb
tbb-9.0

"See how Tails is disabling the updates"

Ok -i hope it works.
But, why torproject and Mozills Corp. think all Torbrowser users, all
Firefox users want to ping yourand their servers, everytime they open Options
or 'About Tor Browser'?
Without loosing trust because it's US-software under US-law?
Can you explain that, why there is no simple No Update option? Logically(-:?

>Can you explain that, why there is no simple No Update option? Logically(-:?
>You can read the discussions in the mozilla ticket where they implemented this

Clap, clap (-:, i have read it. If the distributors don't want explain, don't want discussion, they shouldn't pretend they wan't.
They don't want because there is NO logical explanation why users should accept they have no choice. Manually update shouldn't be sport.
The spirit of Tor - you should know this. It is not much space between trust and distrust.

We did not decide to remove this option. Mozilla did it, and they explained why.

I don't really like it myself, but there are still some ways to do it, although not as easy as before. I think it's not perfect, but we don't have unlimited time, and already many other things to work on, so if someone who think that's important wants to spend the time to investigate this and document the best way to do it, then that would be useful.

ok, i surrender.
i've copied an edited pref.js file into .../tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default
before firstrun of a TBB 9.0 and tried to disable 'check for updates' with this varying settings:

user_pref("app.update.auto", false);
user_pref("app.update.disabledForTesting", true); boolean; DOES NOT EXIST in TBB 9.0
user_pref("app.update.doorhanger", false);
* user_pref("app.update.enabled", false); boolean; DOES NOT EXIST in TBB 9.0

user_pref("app.update.url", "https://non-existent.org"); or "/dev/null"
* user_pref("app.update.url.details", ""); or "/dev/null"
* user_pref("app.update.url.manual", ""); or "/dev/null"

* user_pref("extensions.torbutton.versioncheck_url", ""); or "/dev/null"

* user_pref("browser.policies.testing.disallowEnterprise", false);

there is no update prompt anymore but still showing the
'Update to 9.0.1' button in about:preferences and the best:
it downloads (!) the update from somewhere even if ALL urls in about:config are deleted.

is there a hidden fallback url or WHAT IS IT that still checks and even downloads an update?

exact advices please!

Anon

Зингпиль (not verified) said:

November 06, 2019

Permalink

хорошее обновление

Where are my bookmarks, I've tried all the steps that are supposed to restore them, I can't even restore from a back up

Open hamburger menu --> Library --> Bookmarks --> Show All Bookmarks (Ctrl+Shift+O). Click things in the folder tree to find them after you restored. Restoration does not put them in the normal places so you can edit/merge them as you wish. Or are you talking about Android?

Hey Tor Project, i'm french.
Your wallpaper take back the internet with Tor & theme are ++++ beautifull!!
Thank for the général évolution of Tor!
French user

There seems to be a bug where launching tor from the gui shortcut in Ubuntu hangs for the longest time. Sometimes as long as 10 minutes before the connection dialog begins. It's affected me since at least 2 or 3 updates ago.

Do you mean Tor Browser? "Tor" (capital T, the network), "tor(.exe)" (the network daemon), and "Tor Browser Bundle" are different things. Did you install Tor Browser from torproject.org? (Don't use tor from Ubuntu's repository.) Are you trying to use the torbrowser-launcher package? Did you configure to connect through a bridge that could be down? Is your network known to censor traffic? Are applications besides Tor Browser having the problem?

AFTER RENAME FOLDER - TOR BROWSER NOT WORK!!!

We have this ticket for this issue:
https://trac.torproject.org/projects/tor/ticket/27604

This should be fixed in the next alpha.

Why sometimes using Tor Browser, it's window size suddenly change? Please fix this.

Do you have some steps we can use to reproduce this issue ?

I've seen the same thing a few times while using Tor Browser 9.0 in Tails 4.0.

Kinda irreproducible but it seems to happen when I am trying to click on some button or something and just miss, possibly causing an almost invisible change in window size which possibly (?) invokes letterboxing. I am seeing only a slight *decrease* in window size.

That sounds possible if the button/link is at the edge of the webpage content, and the window is accidentally made larger or smaller.

If that is the reason, it could be related to this:
https://trac.torproject.org/projects/tor/ticket/32308

I had to manually install the noscript browser extension to use noscript. Should this have been necessary and why was Noscript removed from the new tor release?

noscript is still included. What has been removed is the toolbar button, as not all options from this button are safe to use. It is however possible to add it back by selecting "Customize" in the hamburger menu.

We have some plans to implement per-site security settings support which should remove the need for the noscript button:
https://trac.torproject.org/projects/tor/ticket/30570

Which options are not safe and why?
Could I request that, if you or your colleagues are going to state such things, esp. warnings, in the future could you/they expand on what they are saying so that users are better informed and can take action?

Thank you

> in the future could you/they expand on what they are saying so that users are better informed

The post for version 8.5(.0), when NoScript's icon was hidden, did not contain a paragraph explaining where the icons had gone, so it ended up being repeatedly discussed in comments in every release post since version 8.5. It was mentioned in an onboarding card inside Tor Browser, the "What's New" circle icon on about:tor that many users don't notice or read. During development (Bug 25658), antonela repeatedly brought up the need to inform users but appears to have been forgotten. From this lowly user, thank you, unsung antonela.

The "about:tor" page crashes even on fresh install of Tor Browser 9.0.1 on Windows 10 Release 1903 32-bit :
"Gah. Your tab just crashed. We can help! Choose Restore This Tab to reload the page."

Sadly Tor Browser has become really frustrating :

  • Permanent letterboxing, when Firefox does it right, only on page load.
  • Obscure management of cookies.
  • Low privacy settings, example: network.http.referer.XOriginPolicy = 0!
  • NoScript is garbage and has an awful UI. Should be replaced with uBlock Origin by default.
  • NoScript and HTTPS Everywhere icons are hidden by default on fresh install.

Did you have this issue in previous versions of Tor Browser, or is it new with 9.0.1?

Crash is new to 9.0.1, right after update, fresh install (new profile) also crashes. I didn't encounter any crash on 9.0.

versions prior to 9.0 YES were translated into Spanish

> Permanent letterboxing, when Firefox does it right, only on page load.

Where does Firefox do any letterboxing whatsoever? I don't see privacy.resistFingerprinting.letterboxing in the most recent version 70.0.1 at all.

> Obscure management of cookies.

Cookie preferences affect the browser's fingerprint but also collateral damage. The functionality of many websites depends on cookies even more than JavaScript. In the Preferences UI, "Cookies and Site Data" management buttons are there, identical to Firefox, for advanced users.

> Low privacy settings, example: network.http.referer.XOriginPolicy = 0!

That is the default in Firefox. Tor Project may have left it alone if its other values cause collateral damage, but I don't know their reasoning. Unfortunately, some login forms and other functionality of some websites depend on cross-origin referer headers. I don't know if patches were created that lower the risk.

> NoScript is garbage and has an awful UI. Should be replaced with uBlock Origin by default.

Its UI was forced to change a long time ago because of Mozilla's move to WebExtensions. Its important features from before are all there. Its menu sometimes is a little slow to render, but I don't have any major dislikes of it.

> NoScript and HTTPS Everywhere icons are hidden by default on fresh install.

That's because customizing them gives your traffic a unique fingerprint, so doing so is for advanced users. NoScript in particular has always been complicated and confused newbies who are better served by changing the security level.

because versions 9.0 and 9.0.1 on android are not translated into Spanish..?

My proxy settings are getting reset with every manual update. Slightly annoying.

> qipcap.dll
Avira
The definition file was updated, and it was determined that there was no problem.

Thank you! I wish you had replied to the first virus comment, though, so people would see you.

Bring back do not check for updates! I don't want to be reminded of a new version every 5 minutes!

Tell that to Mozilla. Tor Project wasn't involved. According to about:config, the most frequently it prompts you is once every 3600 seconds (1 hour).

To disable all reminders of updates,
https://support.mozilla.org/en-US/questions/1197474
app.update.silent;false

Or to disable certain types of reminders,
app.update.badge;false - for the green dot on the 3-bar menu icon
app.update.doorhanger;false - for the Yes/No prompt that drops down from the menu icon

Thanks

Hey, EFF consistently forgets to update https://www.eff.org/files/https-everywhere-updates.json

I have a somewhat disturbing issue with NoScript.

I don't like it's not automatically in the browser tab so after setting Tor's security to high it's always my second step to customize it that way.

Lately though it disappeared from there all of a sudden after a restart, was obviously disabled even though Tor was set to high security and it's icon nowhere to be found in the customizer, so I had to install everything completely anew. The same happened already with 9.0 once. I'm on a linux system if that is a factor.

In that regard, I've found the security level button to be completely insufficient in indicating the security status of Tor. It's just a little bit of different gray at the border of one's field of vision. Easy to overlook. Maybe it could be changed to a colored traffic light-like system, though in my case it would've probably not helped at all so this is more a general suggestion.
In any event I would suggest moving back the NoScript button to the browser tab by default so there's no ambiguity here if it's just an issue with customization or worse should it be missing. I really think routines are extremely important here since I didn't notice for some minutes it wasn't there anymore. In fact I noticed only because the site I was surfing was obviously displaying elements not possible with Java script disabled.

Please consider the matter and thanks for reading.

> and it's icon nowhere to be found in the customizer

Did you accidentally right-click on its icon --> Remove Extension? Did you accidentally drag it into the overflow ">>" menu? Was it still listed in the hamburger menu --> Add-ons --> Extensions where it should always be? Please continue monitoring it for steps to reproduce it and details to report if it happens again. Thank you.

> It's just a little bit of different gray at the border of one's field of vision.

Is it that hard to rotate eyeballs a few degrees to look at it straight on for a split second? The different shadings take up most of the icon's visual size. Colors have been proposed several times in years past but are more ambiguous in meaning and have accessibility issues for colorblind users.

> I would suggest moving back the NoScript button to the browser tab by default

It was hidden in 8.5 because it's complicated and confused or, worse, endangered newbies. Advanced users can drag it back.

Error when using Tor-bridge DB request, when using TB 9.0.1 with torbrowser-launcher v0.3.2, running at Debian 10.1

Tor Network Settings about:preferences#tor

[x] Tor is censored in my country

○ Select a built-in bridge

● Request a bridge from torproject.org

[Request a Bridge...]

After pressing the request button:

Error message:

Unable to obtain a bridge from BridgeDB.

Failed to execute command "/home/$USER/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/./TorBrowser/Tor/PluggableTransports/obfs4proxy"

Do you have an error if you run this command from the tor browser directory?

./Browser/TorBrowser/Tor/PluggableTransports/obfs4proxy --help

TB on Android 9

System language is German but TB settings etc. are in English except the one setting "Sicherheitseinstellungen" (where you find the Security Slider. The Slider options are in German too). Everything else is in English. Problem since TB 9.0.

Even if I change the language in the settings from "System default" - which is German - TB 9.0.1 is still in English.

This problem doesn't occur on Linux and Windows. Android only.

This looks similar to this ticket:
https://trac.torproject.org/projects/tor/ticket/32365

Is it possible that making a SSL bridge which based on source code of Openconnect & Ocserv?

I am Roxie trying to reach the dark web. I am on an Android phone and i just cant figure it out. Needing help

"reach the dark web" doesn't really mean anything. The dark web is mostly a myth, not something you can "reach".

If what you want to do is use Tor to browse the web, then you can follow the links on https://www.torproject.org/download/#android to install Tor Browser.

"Dark web" is a fearmongering term mostly used by willfully ignorant non-techie reporters who are not properly doing their jobs, because they are not fact-checking government punted misinformation.

You probably mean that you want to use Tor on your Android phone to visit "onion sites" (formerly called "hidden services sites"), which can only be reached via the Tor network, which you can join by downloading, installing, and using Tor Browser.

A few points to bear in mind:

o "Tor Browser for Android" may not work with older or cheaper Android phones

o only download it from torproject.org

o verify the detached signature with GPG if at all possible

o only use the latest version

If you also have a laptop or desktop, you may also want to consider using the latest version of Tails. Unfortunately Tails is not available for smart phones but it enables you to boot a computer with a 64 bit CPU from a DVD or USB. Tails is an "amnesiac" operating system which comes with Tor Browser and much more useful software. It provides extra protections while using Tor Browser so it is a good tool for anyone who is politically active, a government official, scientist, doctor, lawyer, journalist (or maybe I should say: who requires oxygen, water, or food in order to continue to exist). See tails.boum.org.

And speaking of onion services, Tor Browser includes the DuckDuckGo search engine's optional onion service. Here are some more to get you started:
https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor
https://onion.torproject.org/

11.0.8:
[NoScript] Policy was undefined, retrying in 1/2 sec...