New Release: Tor Browser 9.0.1

Tor Browser 9.0.1 is now available from the Tor Browser download page and also from our distribution directory.

Tor Browser 9.0.1 is the first bugfix release in the 9.0 series and aims to mostly fix regressions and provide small improvements related to our 9.0 release. Additionally, we are adding a banner on the starting page for our fundraising campaign Take Back the Internet with Tor.

Known Issue

For each new release, two members from our team are building the release separately and compare the result to make sure that it is reproducible. For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic. As a workaround for this issue, we had to do multiple builds until we got matching builds. You might need to do the same if you are trying to reproduce our build.

Note: due to some delay with the signing, the Android version is not yet available. We expect to be able to publish the signed Android version in a few hours. Update: the Android version has been published.

ChangeLog

The full changelog since Tor Browser 9.0 is:

  • All Platforms
    • Update NoScript to 11.0.4
      • Bug 21004: Don't block JavaScript on onion services on medium security
      • Bug 27307: NoScript marks HTTP onions as not secure
    • Bug 30783: Fundraising banner for EOY 2019 campain
    • Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
    • Bug 27268: Preferences clean-up
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.2
      • Bug 32164: Trim each received log line from tor
      • Translations update
    • Bug 31803: Replaced about:debugging logo with flat version
    • Bug 31764: Fix for error when navigating via 'Paste and go'
    • Bug 32169: Fix TB9 Wikipedia address bar search
    • Bug 32210: Hide the tor pane when using a system tor
    • Bug 31658: Use builtin --panel-disabled-color for security level text
    • Bug 32188: Fix localization on about:preferences#tor
    • Bug 32184: Red dot is shown while downloading an update
  • Android
    • Bug 32342: Crash when changing the browser locale
Anonymous

November 22, 2019

Permalink

I need to know if you are going to produce a "Black Screen of Death" Fix.
*BOTH* of my multi-user Development VMs have been hit by this poor QA update to v9.0.1
Ironically preventing completion and release to the community of privacy related software.

NONE of my diverted time fiddling around with AppArmor settings fixed this.

Thankfully my practice of not having monoculture single points of failure ( using chromium based browsers)
is the ONLY way I can get this to you!

It is the last straw for me; I have been concerned for some time at the egregious resource (CPU) demand at startup
suspicious that it is attempting rowhammer or spectre/meltdown class base processor games.
All of my VMs, including Fresh Builds are equally affected. It is not some extension update
poison that is responsible.

But I will retain torbrowser on end user VMs used for technology demonstrations.

When the QA quality of updates returns to what I was happy to immediately add when busy!

My compliments to the Dev team. I hope that this instigates a learning process so that
this catch22 lockout NEVER happens again...

I cant update it. I cant reload it from scratch tarballs off your site (Whonix Workstation instances)

Those systems are now SOL for torbrowser, and a VERY poor or negative choice example at demo time.

Please advise here and put up a permanent page that gets listed at the head of typically serach engines.

THANKS

Anonymous

November 24, 2019

Permalink

Sometimes, when I start Tor Browser, the start page states that "Tor is not working in this browser". However, when I go to the URL "check.torproject.org", The site said that "This browser is configured to use Tor."

I want to know if there are other users that encountered similar issues.

Thank you.

Information:
OS: Windows 10
Browser Version: 9.0.1

Anonymous

November 24, 2019

Permalink

i have new windows 7 install when i try to open TB9,901,95a2Alpha it says:

The program can't start because api-ms-win-crt-convert-l1-1-0.dll is missing from your Computer. Try reinstalling the program to fix this problem.

TB8 and latest firefox is working fine. No other program is showing this error.

Anonymous

November 24, 2019

Permalink

I have a question.
It still uses HTTP circuit rather than HTTPS when starting and even when HTTPS everywhere is enabled is enabled while browsing, check for port and it shows using port 80.

Anonymous

November 25, 2019

Permalink

After updating to this version the new tab crashes every time. It displays "Gah, your tab just crashed" tried re-installing, disabling add ons and all that. The older version works fine but as soon as it updates it gives above mentioned error. please help ASAP.

@boklm. I see the same problem on Windows10-32bits on an AMD Athlon CPU. Maybe it is just a problem of compiler. Sometimes a program can crash because:
- Compiler has a bug, producing invalid code on rare occasions.
- Source code has a bug only revealed on certain compilations (ex. use after free).
- Too aggressive compiler flags (ex. -Ofast).
- Uses unsupported instructions (ex. SSE4.2 when CPU only supports SSE4.1).
Maybe ask the other users also what CPU they are running on.

No Antivirus ever here (Windows Defender also disabled) !
I like it when my PCs are infected and malwares ruin my UX, including a crash on the TB about:tor page ! ;)
TB 9.0.1 tested on the same AMD Athlon PC on Debian 10 x64 and no crash on about:tor page, so it looks like the bug is limited to the 32-bit version of TB.

You can run Windows Defender scan to be sure ;)
The bug is limited to the 32-bit version of Windows 10 on AMD Athlon PC, FWIW.
What error code do you see in the Windows Event Viewer for that crash?

Firefox 68 works fine. In fact, on TB 9.0.0, the about:tor page does not crash and TB 9.0.1 seems to work fine apart from this crash.

  1. CPU-Z info (extract)<br />
  2. -------------------------------------------------------------------------<br />
  3. Windows Version Microsoft Windows 10 (10.0) Professional 32-bit (Build 18362)<br />
  4. Specification AMD Athlon(tm) 64 X2 Dual Core Processor 3800+<br />
  5. Instructions sets MMX (+), 3DNow! (+), SSE, SSE2, SSE3, x86-64<br />

Anonymous

November 27, 2019

Permalink

Right now I use Tor for Windows but I want to change to Linux Mint.

For Windows, since you have had those ‘new’ pages, all I have to do is download the files from https://www.torproject.org/download/ and verify the signature by following the instructions on the page: https://support.torproject.org/tbb/how-to-verify-signature/

If all is OK I double-click the ‘exe’ file, everything starts and I am using TOR.

I have just downloaded and installed Linux for the first time.

I have downloaded and verified the TOR Linux files in the same way that I have for Windows – all is OK - but I can’t make them run.

I have found the instructions for Debian and Ubuntu under your ‘Expert Guides’. Since my version of Linux is based on Ubuntu I thought these instructions would help but as I am new to Linux I don’t understand them.

I see that the TOR file for Linux has the extension tar.xz. Can anyone please tell me how I install it so that it works with Linux?

Or can someone please give me step-by-step instructions to download, install and run the TOR Linux files under Ubuntu?

Thank you

"I have found the instructions for Debian and Ubuntu under your ‘Expert Guides’."

Do you mean this? The new site may have confused you because the "Documentation" link in the top header goes to the old 2019.* site.
https://2019.www.torproject.org/docs/debian.html.en

Those instructions are for tor, the network daemon, not for the Tor Browser Bundle that contains the daemon and a modified Firefox. Also, torproject.org URLs beginning with "2019" go to the old website which is there in case the new purple-colored site doesn't answer the question. Follow the Tor Browser Manual that boklm posted. You can find the manual from a Support question too: How do I install Tor Browser?

Anonymous

November 29, 2019

Permalink

Why are comments turned off on some of these blogs? Like with

"We Can Choose an Internet Without Surveillance"

I have an opinion that none of this is true. Tor is not what it once was, an I am thinking that is why so many people left.

> so many people left.

The numbers don't show that. User counts show fairly steady numbers around 2,000,000 for the last 6 years plus increasing bridge user counts that fluctuate wildly from 30,000 to 180,000. The spikes are usually from botnet malware or big news events such as national internet shutdowns. Perhaps chatter has decreased where *you* spend your time.
https://metrics.torproject.org/userstats-relay-country.html?start=2010-…

Anonymous

November 30, 2019

Permalink

Hi everybody,

It not recommended to use ad-ons to the browser (I am using FF). Standard are HTTPS and NoScript. First time I tried one of my normal webb-sites I saw the site full of ads. NoScript showed zero (0) meaning full blocking when looking at presented scripts. Second time I used the 9.0.1 browser it started to stop ads (reading "connection disabled" in ads-areas). This time though the browser started to utilize much more cpu and not working well. When changing site-pages ads showed up here and there but not everywhere!

How does the ad-free Tor Browser work? The site I tested was a "trusted" http-site. In my normal FF browser I use an anti-ads ad-on and it is working perfect.

Ad-free Tor Browser implies using an adblocker. This is what I would advise at least:

NoScript may conflict with adblockers, so maybe disable it (at your own risk) on the about:addons page.

Then install uBlock Origin from the Firefox Add-ons site.

Then open the uBlock Origin dashboard, go to the settings pane, enable "I am an advanced user", all privacy settings and block remote fonts.

Then in the Filter lists pane, select the filters you really need (to see all filters available, click on the "+" on the left of the line "x network filters + y cosmetic filters from:").

Then close the dashboard, and set uBlock Origin blocking mode to at least Medium.

Finally, install Cookie AutoDelete and set it to "Enable Automatic Cleaning after x seconds" and "Enable Cleanup on Domain Change".

Installing other privacy related add-ons like Decentraleyes or Privacy Badger is rather redundant if you set uBlock Origin to Medium block mode and enable privacy related filters.

ClearURLs is a very nice add-on and may be the most effective to remove tracking elements from URLs, but I am a bit nervous with the fact that it automatically downloads its rules from an external file on Gitlab. uBlock Origin also download filters, but gorhill is an outstandingly good developer and I trust him more than the ClearURLs developer, who still has to prove his worth...

I dream of a Tor Browser including by default more of these privacy related extensions (especially the essential uBlock Origin):
https://www.privacytools.io/browsers/#addons
https://amiunique.org/tools

BTW, my fingerprint tests on Panopticlick and here AmIUnique reveal what makes my Tor Browser mostly unique (30 days period):

  1. Screen resolution (<0.01%) [full screen and repulsive letterboxing disabled]
  2. Navigator properties (0.02%) [Surprise! 30 properties in navigator object]
  3. List of fonts (0.19%)
  4. Permissions (3.74%) [geolocation:denied, notifications:denied, persistent-storage:prompt, push:denied]
  5. User agent (4.63%)

Trying to block fingerprinting through coalescence is a pipe dream !
The only solution according to me is the universal randomization of fingerprints. If every user constantly changes his fingerprint (by randomly changing bits of the sources of fingerprinting) during a session, then it is impossible to uniquely and durably identify users. I hope Firefox will enhance its resistFingerprinting feature and implement randomization of fingerprints in the near future...

The results given by Panotpticlick or AmIUnique are not really meaningful for Tor Browser as those tests are mainly being run by non-Tor Browser users. What is important for Tor Browser is that all Tor Browser users have the same fingerprint, but it doesn't matter if this fingerprint is similar to the one from other browsers.

About randomization of fingerprints, see the section "Strategies for Defense: Randomization versus Uniformity" in the Tor Browser design doc:
https://2019.www.torproject.org/projects/torbrowser/design/

Thank you boklm for the infos and the link. I read the doc carefully and now better understand your "No Filters" design choice.

Concerning the randomization, I still disagree.

Uniformity is a pipe dream, because people always want to customize their tools when possible. But, by customizing their Tor Browser through configuration or add-ons, they weaken their fingerprint uniqueness without always knowing when or by how much. Claiming uniformity brings a false sense of anonymity to the end-user.

If you want uniformity then put the end-users in a jail, where they can't modify the Tor Browser. But then, I guess you won't have many users left. On the contrary, if you let the end-users do some customization, then uniformity is impossible to achieve.

Moreover, dictatorships hate liberty because they can't control people with random behaviors. They hate diversity because they can't control people with random identities. Thus, uniformity is their ultimate dream, whereas randomization is a tool to create diversity therefore liberty.

So I think your mistake is to make your design choices from a technical point of view, whereas it should be from a philosophical point of view. The technical solutions should follow the philosophical guidelines, not the other way around...

Anonymous

December 01, 2019

Permalink

many who updated to 9.0.1 , 32bit are getting a white space between website and tor-browser window ... can anyone tell em why and/or how to fix it?

Yes, I don't know why Tor Browser developers made this ugly design decision. The original Firefox does it right, only on page load.
Anyway, type about:config in the URL bar, then set :
privacy.resistFingerprinting.letterboxing;false

Then please do the letterboxing only on page load, like Firefox. The way it is now is an ugly looking and disturbing hack.
Tor Browser is a great software, it just needs some polishing that would make it awesome !

it's me again .. about white space. The prob is much worse .. resizing tor window ads more white space and jumps between resolutions. It's like a mexican jumpin bean as one resizes window. CPU load on boxes older than 3 yrs goes to max.
Ok .. but is there any way to fix it ?
Another thing = when having open tabs more than window limit [let's say 100] drop down arrow list doesn't let one scroll/jump by using first letter .. as it used to. And mousing over list doesn't show URL either .. which worked before.