New Release: Tor Browser 9.0.2

Tor Browser 9.0.2 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

This new stable release is picks up security fixes for Firefox 68.3.0esr and updates our external extensions (NoScript and HTTPS Everywhere) to their latest versions.

Apart from backports for patches that already landed in alpha releases and fixing an error in our circuit display and improving our letterboxing support, Tor Browser 9.0.2 provides properly localized Android bundles again as well.

Reproducible Builds

The issue with reproducible builds mentioned in the 9.0.1 blog post is still present in this release. We however made progress on understanding the issue and are getting closer to a fix.

ChangeLog

The full changelog since Tor Browser 9.0.1 is:

  • All Platforms
    • Update Firefox to 68.3.0esr
    • Bump NoScript to 11.0.9
      • Bug 32362: NoScript TRUSTED setting doesn't work
      • Bug 32429: Issues with about:blank and NoScript on .onion sites
    • Bump HTTPS Everywhere to 2019.11.7
    • Bug 27268: Preferences clean-up in Torbutton code
    • Translations update
  • Windows + OS X + Linux
    • Bug 32125: Fix circuit display for bridge without a fingerprint
    • Bug 32250: Backport enhanced letterboxing support (bug 1546832 and 1556017)
  • Windows
    • Bug 31989: Backport backout of old mingw-gcc patch
    • Bug 32616: Disable GetSecureOutputDirectoryPath() functionality
  • Android
    • Bug 32365: Localization is broken in Tor Browser 9 on Android
  • Build System
    • All Platforms
Anonymous

December 03, 2019

Permalink

I don't see this post listed on the main Tor Blog page:
https://blog.torproject.org

I took a guess that the post might exist when I saw an update was available, then entered the URL of the previous update and made it end in a 2 instead of a 1.

I see the post listed under these tags:
https://blog.torproject.org/category/tags/tbb
https://blog.torproject.org/aggregation-feed-types/tbb-90

But not under this tag:
https://blog.torproject.org/category/tags/tor-browser

In any case, thank you for the update!

Anonymous

December 03, 2019

Permalink

Was the update released on the 2nd or the 3rd? This blog post lists the 2nd, but Mozilla lists the 3rd for 68.3esr release.

Anonymous

December 03, 2019

Permalink

Was the update released on the 2nd or the 3rd? This blog post is from the 2nd, but Mozilla's site lists the 3rd.

Anonymous

December 03, 2019

Permalink

WARNING

When using the Backports torbrowser-laucher package at Debian GNU/Linux 10, make sure you backup your user Library bookmarks list first, as they'll be erased during the automatic Tor Browser update process. To make and restore the bookmarks backup, follow these steps:

Settings >> Library >> Bookmarks >> Show All Bookmarks (below the menu)
>> Import and Backup >> Backup...

The usual default setting of the Tor Browser $USER directory, when using Debian torbrowser-laucher, is:

~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US

BEWARE

Because of the fact that the contents of the ../tor-browser-en-US/ directory will be cleared (the exact name depends on your particular language localisation, of course), you should place the bookmarks .JSON backup file at another elsewhere, otherwise you'll lose it.

Anonymous

December 03, 2019

Permalink

Usually the update is downloaded automatically in the background and then it prompts me to restart. But this time (9.0.1) I got a dialog with a "download update" button which just took me to the download page. Is something wrong with the updater?

OP here. Nevermind. I just ignored the update last night and left the browser open, and this morning it gave me the "Restart to update TB" prompt. So I guess it just took a while.

> But this time (9.0.1) I got a dialog with a "download update" button which just took me to the download page.

Open about:config and type app.update. In a new tab, search the web for the meanings of those names. Notably, *.badge, *.doorhanger, *.notifyDuringDownload.

Anonymous

December 03, 2019

Permalink

uncaught exception: 2147746065 SessionStore.jsm:1325:22
Error: listener not re-registered 8 ExtensionCommon.jsm:2318:24

Anonymous

December 03, 2019

Permalink

Hello, usually I download the updates smoothly. In this 9.0.2 update, the screen stated "Something went wrong! Tor does not work...", etc., etc.,. So, instead of panicking, I went ahead and tried to access the current page. As with most of this evening's surfing, everything stalled and the constant tick-tock at the top of the page wouldn't load. Fed up, I took Tor off screen. I reloaded, and now I am here. So, does this mean I have a safe, okay Tor or do I need to download a new one? Please advise. Thank you.

> etc., etc.,.

Did what you left out give any specific technical information or numbers that could narrow down the issue? Which "current page"? What "tick-tock"? Do you mean the circular "loading" animation on tabs? The browser does not display a clock. I don't know if your system is "safe", but if there is no longer an issue with tor browser, that's good. If you want to download a new one, download it, export your bookmarks if you have any, delete the tor-browser folder, install the new one, and finally import your bookmarks.
https://support.torproject.org/tbb/how-to-verify-signature/

What did I "left out"? I name the left/right tick-tock as it does that like a grandfather clock when page does not finish loading. If it was a clock, I would have identified it as one. In order of your suggestions, how does one download it without it automatically installing?

If you restarted Tor Browser and it connected to the Tor network (like it did before the update), and you are able to load webpages, then it seems Tor Browser is working correctly. One common cause of errors like this come from the hard drive becoming full during upgrade. Tor Browser (and Firefox) do not handle this situation well.

Anonymous

December 03, 2019

Permalink

When I quit Tor there is a red box that says,"Tor browser quit unusually and Windows Runtime had errors in shutting down" and had some other jibberish below it. Should I be worried about this? I am in Korea and everybody tries to spy on you here.

Anonymous

December 03, 2019

Permalink

Where is the NoAutomaticUpdates option?
The impudence that Firefox is phoning home to aus1.torproject.org without
the easy option to switch off is .....think about.

And when you have found the hidden option(DisableAppUpdate.Prevent the browser from updating.) for in about:policies, playing games with users,
Enterprise Policies(what?Only for Enterprices), and the place for this ...funny thing,
mozilla write this:
view-source:jar:file:///X:/xxxxxxxx/omni.ja!/components/EnterprisePolicies.js
// Check if we are in automation *before* we use the synchronous
// nsIFile.exists() function or allow the config file to be overriden
// An alternate policy path can also be used in Nightly builds (for
// testing purposes), but the Background Update Agent will be unable to
// detect the alternate policy file so the DisableAppUpdate policy may not
// work as expected.

Unintentional phoning home or they call it telemetry is an unfriendly act.Point.

To be forced for, everytime i open TB or other browser action, that is crap and nothing else.
Especially there is no need for to hide this -no automatic updates.
The boring thing was the flood of "my so old Torbrowser version need no update ever" troll campaign to bore the developers and nudge them to hide this option.

Generally, it's intuitively correct that people don't like phoning-home and auto-update checking, esp. forced updates, feeling it may have privacy issues (and at least it's psychologically invasive).
However, Tor Browser is somewhat exceptional. If you use Tor Browrse, you'll have to trust the whole Tor System (though you don't need to trust every single nodes). Hypothetically speaking, if its auto-update checking has privacy issues, its normal initial connection COULD have much bigger privacy problems, as it could record everything you do online (and possibly tells that to the government or something). In other words, the whole Tor system COULD be a honey pot. Hypothetically speaking, of course.

In reality, if one uses Tor, one has to trust torproject.org; if one thinks auto update-checking is suspicious, one can't (shouldn't) use Tor Browser in the first place. So you're right - it is reasonable to accept automatic update-checking in this case. On the other hand, it's obviously a bad idea to blindly believe every automatic update (in general, not about Tor Browser) is okay and privacy-aware.

I will add that you don't have to trust blindly what we publish. The full source code of everything included in Tor Browser is available (this page has information about where to find it: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking), and we do reproducible builds (see https://reproducible-builds.org/) which gives a verifiable path from source to binary code.

Anonymous

December 04, 2019

Permalink

How do I get rid of the donation banner? Hate it. Don't want to see a G-string when I open my browser.

Anonymous

December 06, 2019

Permalink

I've noticed a big change recently, not with this TOR release, but in say, the last month, that the stupid Google captchas are failing out almost 50% of the time with the stupid, "received too many automated queries" message. This has gotten to the point now that I have to make 10 connections to find an IP on which the captcha will work. I've used TOR for years, and previously, this error was rare. Let's say perhaps 10% or less of the time.

First of all, why are so many websites using Google garbage. Google hates TOR. when you try to use Google with TOR you hit a captcha (not the familiar captcha I just mentioned, but another one), and sometimes it's an endless loop, where you solve it correctly and are bought right back to the same page. UploadBank seems to have a good non-Google captcha. Why isn't that being embraced? And why the Hell would a captcha system report an error for "too many automated queries" in the first place - it's designed to check whether you're human so it should be immune to noise packets.

Is this change something Google has done to make TOR users suffer, or is someone else to blame. Perhaps a State actor like China, attacking the captcha system to shut down or de-anonymize TOR users?

Anonymous

December 06, 2019

Permalink

When running version 9.0.2 (Android) the first few times it was possible to "start a new identity" whenever. Since yesterday the notice-bar Tor Browser, which also shows down- and uploading speed, is lacking this function to start a new identity. ???? Instead, but first after a while, Orbot tries to start (given notice by the tor browser bar) but fails later.

I think I downloaded my Tor Browser (under another name) a few years back from the Guardian site. Still I really don't know (remember) how the updating was working until it was done via Google Play. I also have some apps from Fdroid. They show my Tor Browser with the latest update but their version-history seems a bit odd!

Checking the Tor Browser's PGP signature seems almost impossible. The GnuPG does not work for Android (only Linux) and the Guardian Project version for Android is no longer updated or even possible to find. The closest link I found is this: https://github.com/guardianproject/gnupg-for-android, and being more or less a layman in computing I understand that there is no simple app to install onto my tablet to do the verifying process? Any suggestions? Installation of GPG via a terminal seems to involve the process of building apps. For app-developers and not for app-users? I have this terminal installed but GPG is not built into it!
Conclusion: The verification-process is part of Google Play and not the user! Right? Can I be sure? Or should I use the "workaround" with a public key?

Another odd thing. My tor browser use google as search engine as default. I read you use DuckDuckGo since 6.0.6. Strange! I have now changed.

For your info: My laptop and router have been compromised. I am not using the laptop and my router is factory restored after being hijacked (scripted). Still my router-values have been changed after reset. Also having dns-problems. Sitting behind a public fibernetwork and a switch run by a small ISP. My network consists of a cheap Asus wifi-router and a single Android 6.0.1 tablet device. I found a second internal ip-address in my network. Without any corresponding MAC-address. To find it I had to change my network settings in the wifi-settings in my tablet. No info under dhcp (dhcp in router btw) but when choosing static new info appeared. A new ip-address which involved google 8.8.8.8 and 8.8.4.4 instead of 9.9.9.9 (in router) . I guess google dns is default in Android but I do not understand the 2nd ip-address and why it is static? Under dhcp I could not see any dns-address! I had to choose static!

How to find logging for the browser's status in the Tor Network? When connecting the browser you can follow the process and read notices during the connection until GO. Then there is no way to check what is happening. When using Orbot and i.e DuckDuckGo I can always check status in orbot log.

A worried user,

Anonymous

December 06, 2019

Permalink

when i start tor browser it pop up a weird mirror, fix it , instead of choice bridge and shit, it popup a weird mirror and after that the tor browser pops up, that mirror get my windows 10 bluescreen sometime.

Anonymous

December 08, 2019

Permalink

since I loaded the newest Tor not one single onion site will open, tried downloaded older version of Tor but nothing has worked in a month

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

7 + 13 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.