New Release: Tor Browser 9.0.4

by boklm | January 10, 2020

Tor Browser 9.0.4 is now available from the Tor Browser download page and also from our distribution directory.

This release fixes a critical security issue in Firefox: CVE-2019-17026.

The full changelog since Tor Browser 9.0.3 is:

  • All Platforms
    • Update Firefox to 68.4.1esr

Comments

Please note that the comment area below has been archived.

January 09, 2020

Permalink

Is TB 9.0.3 vulnerable to CVE-2019-17026 if security slider is set to safer level? javascript.options.ion is set to false with this configuration which indicates not, but my layman interpretation may be wrong.

If anyone has information on who was the target of this attack and IOCs please share.

January 14, 2020

In reply to boklm

Permalink

For several years, some Tor Browser users have urged Tor Project to consider relabeling the security levels as "Safest", "Safer", "LessSafe" and to set the default security setting at "Safer" or even "Safest".

The fact that this particular exploit appears to only work against TB at the default setting once again underlines the fact that it would help keep many users safer if Tor Project set the default security level higher and educated users about the possibility of dropping down to the unsafe level if they really need it to use a particular website on a particular day.

January 19, 2020

In reply to boklm

Permalink

I understand the caution and why you don't want to disable javascript by default.

I make the counter argument that if a user is not aware enough of the issues involved to know that some websites will not function without JavaScript enabled, they would also not be aware of the security risk present when JavaScript is enabled by default.

Perhaps a good have-your-cake-and-eat-it-too option would be to:
Disable JavaScript by default .
When a user tries to load any page with JavaScript, display a message saying that it is disabled, explain why, explain that some pages will work poorly or not at all without it, then tell how to reenable it (possibly include a link to the control).

Not everyone who has a car knows anout engines, but if you buy a muscle car with a customized engine, then you are likely a little bit more interested in how engines work...

Almost all websites include some javascript, so we would be showing this message on almost every page. And when we show too much text or too much questions, users tend to not read it and click on the first button to hide it.

January 09, 2020

Permalink

Why Torbrowser is trying to update automatically despite i
DON'T want this?
How can i switch 'automatic update'/notification off reliably?

"Why Torbrowser is trying to update automatically despite i DON'T want this?"

Because Tor Browser aims to keep its users safe. As shocking as this may seem to you, but you as a tinkerer are not the principal target audience, so a random feature that you wish for them to implement, that doesn't make any sense for regular users but instead would even be detrimental to them, is obviously not going to find its way into the browser.

"so a random feature that you wish for them to implement,"

It's OK to set autoupdate as default but not to full force that compulsorily for all users and tell nudging fairy tales about random feature for shocked tinkerer.
This in your words "random feature" is a standard of ones choice.

To CHOOSE between autoupdate/telemetry and no-backchannel is essential for trust. No one is talking against autoupdate as standard for "regular users".

"is obviously not going to find its way into the browser."
Sounds ideologically and not technological.
By the way, do you remember the rofl from the NSA about MSWindows is sending all infos about your sys everytime it crashs?You could stop this behaviour with a click(-:.

I *still* have not succeeded in recovering two working Desktop VMs that have multiple user
accounts (Debian). Because of the apparmor issue. This WOULD have been easily recoverable
had my manual upgrade settings been honoured through all of the various major/minor deliberate
updates.
With something so critical it takes all of 4 mins to make a working backup copy of a VM file.

HUGELY disappointed at this testing failure. I still cannot recover my research and Dev
environment in an elaborate bookmarks setup that evolved over years.

Wont ever trust this again; I've moved over to using vivaldi and Brave. PERMANENTLY

At least I can rely on the settings and better VM performance with the alternatives.

January 09, 2020

Permalink

Can you please disable that spinning screen when clicking on the Security Level icon, then click "Advanced Security Settings". Also it was more efficient in prior versions when you could change the Security Level without going into a separate tab and menu. Thank you.

Relay nicknames are less unique than IP addresses. Operators could agree to name them all "Unnamed" if they wanted to. IP addresses are the basic thing to tell them apart because you have to know them to connect, and they are the key field to many other things like country names. Is there a reason why nicknames should be shown? Metrics.torproject.org is searchable by many flags including name or IP.

For example if mean that my exit or entry node is fake..how to simply check this hmmm??????
It was always the most importnat function. Some times..exit nodes was usa or russia some people doesnt want to connect over this exit nodes and they refresh cirrcuit to change exit nodes automaticly. I know that we can pre definie entry or ecit nodes but dont cheat together..how many user know how to do this?? I think its few of all..So this fucntion mus be again avaliable..!!!!!!!

January 09, 2020

Permalink

Privacy Pass has stopped working in Tor. Used to work. Stopped working a few releases ago. When a captcha has been solved, the check mark comes on, but does not advance. An error message comes on after a while that the solution has expired. No passes are added either. Tor only continues to work if the privacy pass is removed using the Add On Manager

January 09, 2020

Permalink

What's actually going on in China now? The number of meek users has decreased drastically recently, and there are now either 0 or next to 0 obfs4 users. Furthermore, how can there be thousands of relay users (apparently more than bridge users) there?
Is something going on with Microsoft Azure in China right now? Are Azure websites also only intermittently available there now?

I too see a trend inversion for the number of users over meek. It starts around mid 2019. But it's not only in China, but worldwide. There are also 5 short periods afterwards that are statistically abnormal. Default OR bridge and meek bridge suddenly have their upper and lower bound for user count estimation diverge massively. At the same time the directories report huge swings in the activity over default OR bridges. [1][2] Maybe that breaks ther estimation heuristics. What causes those swings?

Meek-azure still works in China in at least some places with at least some providers, but it is very slow. It can take over half a minute to load duckduckgo. People would probably instead first tunnel over VPN.

Obfs4 does work in China but only with unpublished bridges. [3] The authorities are somehow able to reveal and block everything in the BridgeDB. The low obfs4 statistics can mean two things:
- Setting up a private server to run a private bridge with obfs4 is a bad investment. You could use other protocols to escape the Chinese internet instead (e.g. V2RAY). You get an optional faster clearnet connection and your protocol is less suspicious.
- People are actually using private obfs4 bridges but they don't arrive in the statistics.

There can't be any normal relay users. Tor is blocked and I am not going to test a direct connection. The GFW messes with all your connections afterwards for some time (slowing and time-outs). They must be from the government or not actually in China.

[1]: 2019.https://metrics.torproject.org/userstats-bridge-combined.html?start=201…
[2]: https://metrics.torproject.org/userstats-bridge-transport.html?start=20…
[3]: https://trac.torproject.org/projects/tor/ticket/29279

My guess is that many of these alleged direct connections are due to GeoIP inaccuracies. Relays are using Maxmind's GeoLite2 to map client IP addresses to countries. GeoLite2 lags behind modern GeoIP databases in terms of accuracy and may mistakenly map IP addresses from, say, Hong Kong (where Tor works) to China.

Also, when setting up a private bridge, use BridgeDistribution none instead of PublishServerDescriptor 0. Both make your bridge private but the former also makes your bridge publish client statistics, which contribute to Tor Metrics.

As far as I can tell, "blocked by GFW" means "available sometimes, but not most of the time". It's very hard to tell how GFW works, but it's clear it doesn't work consistently. Connection to Facebook and Google succeeds sometimes, but fails the vast majority of the time. Similarly, connections to GitHub succeed most of the time, but they fail sometimes. Connections to Wikipedia also fail very often, but not as often as connections to Google or Facebook. I'd expect the same to be true for TOR relays.
My guess is that those aren't actual users, but malware that connects (or, more likely, tries to connect but fails to bootstrap) to TOR. Given what I know, that appears to be the simplest explanation.

January 10, 2020

Permalink

Why is Tor on mac not saving its window position and size when quitting, so it can re-open the same way the next time?

I agree! Why can't the Tor window position and size remember when closing/opening? It's so annoying to always have to resize and reposition.

I really appreciate Tor for being more secure when we are online, and right now, I'm "testing" my usage and will be glad to pay for it, but later, after I am comfortable with my browser experience. Meanwhile, my "Favorites" saved websites and my bookmarks appear somewhat out of sorts. I know that those behind this wonderful and developing browser is still working on 'perfection' so to speak, but meanwhile, it will be a good idea to welcome user surveys/comments.

Meanwhile, keep up the good work! I'm sure there are people that will be glad to pay 'something' to use a secure browser, even if it's $2 a month.

It seems that many Tor users are still disconcerted by the standardized window sizes and positions, but this is an important security/anonymity feature.

One way to think about this is that each place in your computer in which Tor Browser saves data opens up a potential security vulnerability.

More generally, increasing convenience tends to be inconsistent with improving cybersecurity. Bookmarks can be particularly revealing if an attacker is able to reach them.

I hope many more people will adopt Tor Browser in the months to come, and will start following the cybersecurity news (e.g. arstechnica.com, theregister.co.uk and many other sites). I have found that reading about real world exploits helps to maintain my awareness of the need to be very careful in trading away cybersecurity for some not truly necessary convenience.

Same on Linux (and Windows I guess), however, I consider this as expected behavior.

Despite letterboxing the default window size is still the recommended one to avoid fingerprinting, thus preserving custom window size would be a bug rather than a feature.

January 10, 2020

Permalink

In this latest build tab crashes again and again, can't use tor after update not even alpha build.

January 11, 2020

Permalink

Why is access to chrome: internal resources possible? For example, sites can detect modifying onboarding extension (TorZilla project).

In non-standard level NoScript overrides disabled webgl2. Maybe, better way is return {} for webgl1 and null for webgl2 for getContext?

Policies fully disabled for now. I edit omni.ja every time to re-enable it (disable updates, change search engines and etc.).
I think, policies.json-only variant is safe (as minimum not lesser then mozilla.cfg and user.js) and it's good to re-enable it (of course, with the system-wide group policies turned off).

TorButton always overrides network.proxy.type in startup-observer.js even if extensions.torbutton.use_nontor_proxy is false.
It's not useful, because I use the same TB instance with another profile for local and loopback network (without proxy and privacy/anonymity purposes).

I don't fully understand how resist font fingerprinting works. Linux doesn't expose fonts in tests in both variants of browser.display.use_document_fonts.
But Windows expose a lot of fonts. Is it garanteed that all of whitelist fonts present in OS? I noticed, Times and Helvetica get from registry via WinAPI advapi32, it's not very reliable.

Do you have any planning solutions or recommendations for FullScreen API screen resolution? In past, I use my own letterboxing protection with getBrowser().maxWidth/maxHeight overrides.

Hi, another pro cypherpunk! It's great you try to research how Tor Browser works. We recommend you to file your concerns directly to Trac, where pro discussions take place.

January 11, 2020

Permalink

I was using TOR to access sites which for some stupid reasons weren't available in Russia. One example is: http://www.threesocksmedia.com/
All of a sudden I get this error:
Not Acceptable
An appropriate representation of the requested resource /index.html could not be found on this server.
I am not sure if it's related to the latest update, but I started seeing it only today.
The site works perfectly fine in Opera VPN and it's accessible fine from North America.
Regards!

January 11, 2020

Permalink

I got a red background screen on startup after install of the latest update. There was a warning message on there that said "Something Went Wrong!" "Tor is not working in this browser."

This despite the install having worked correctly according to that same page displaying the Tor version in use (9.0.4) and my settings showing the newest browser version as being correct (68.4.1esr)

And I have full functionality including a definite Tor circuit.

What's with the warning screen?

January 13, 2020

In reply to boklm

Permalink

which is one of the things that doesn´t work.
Besides, which omni.ja and which .js, cannot find a .js saying anything about "app.update.".. Tried for hours and even the simplest little thing like unpacking and repacking a file makes tor not working.
Someone here must know. Zip doesn´t work.

What is your reason for going down the path of disabling updates? Perhaps there is a better solution if we understood your situation. Do you know that Tor Browser downloads and verifies the hashes of its automatic updates by going through the Tor network as it always does?

so what? do i need a reason for deciding for my self?
you claim to want to "free" people, but you are being totalitarian in that you and you only decide what people cannot, must not be allowed to. Your arguments sounds so much like chinese leaders claiming they know what the people need. I bet your next "argument" will be like: "find another browser". Little by little you are becoming what you claim to fight against.
And, oh Winrar works, by the way.

My reason is irrelevant. Your argument about how it goes through tor network is also irrelevant.
The only relevant question is why, why, why are users not allowed to choose for themselves?
Why is it necessary to take away peoples freedom of choice? You sound exactly like the Trump´s of the world, you have all the reasons why you need to be in control for the good of the people. How hard can it be to let people choose for themselves?
And, oh Winrar works, by the way.

You are free to do what you want, and you could even take the source code and build your own version with the changes you want.

You don't have to give any reason if you don't want to, but explaining why you want to do something can help us decide if that's a use-case we want to use some of our time to support.

January 31, 2020

In reply to boklm

Permalink

I did actually give my reason.
I want to be able to make the choice myself.
It should be an option to disable any kind of update, and those who wants auto-updating can choose that, that can even be the default setting.
You should never take away peoples right to choose for themselves. That is never a good solution however appealing to the ease of your work.
May i suggest working on a way to reintroduce policies without the proxy-issues?

January 31, 2020

In reply to boklm

Permalink

You haven´t tried or you would know it doesn´t work, of course Tor tries any possible attempt to "phone home", those steps are easily overruled by some hidden settings, possibly in omni.ja? (i´m definitely not an expert). I find it too complicated to edit omni.ja for every update, and i also haven´t found anything in there that stops it from looking for updates. Every time you open options, when you scroll to updates you see (i can see it) it tries to look for updates, and it just keeps on, because it can´t find it.
That´s what happens when you point to a wrong adress, it just keeps looking, endlessly apparently. It should be the users choice to decide whether to look or not.
And, oh... policies are forbidden in Tor, that used to be a good solution.

January 31, 2020

In reply to boklm

Permalink

You haven´t tried or you would know it doesn´t work, of course Tor tries any possible attempt to "phone home", those steps are easily overruled by some hidden settings, possibly in omni.ja? (i´m definitely not an expert). I find it too complicated to edit omni.ja for every update, and i also haven´t found anything in there that stops it from looking for updates. Every time you open options, when you scroll to updates you see (i can see it) it tries to look for updates, and it just keeps on, because it can´t find it.
That´s what happens when you point to a wrong adress, it just keeps looking, endlessly apparently. It should be the users choice to decide whether to look or not.
And, oh... policies are forbidden in Tor, that used to be a good solution.

February 02, 2020

In reply to boklm

Permalink

omg.
If you´d actually tried you´d know that doesn´t work anymore. Where have you been? E.g. policies are forbidden in TBB.

January 12, 2020

Permalink

nice

January 13, 2020

Permalink

TOR as been working strange,despite the new update that took place recently the browser has not been displaying the webpage's images/information. I've tried to restart and re-downloaded the browser however the problem still remains the same.Any idea on my why this might be happening?

January 13, 2020

Permalink

mega.nz shows my real platform:
BrowserID: mozilla/5.0 (x11; linux x86_64; rv:68.0) gecko/20100101 firefox/68.0
(javascript active)

January 15, 2020

In reply to boklm

Permalink

Intent to Deprecate and Freeze: The User-Agent string

Summary

We want to freeze and unify (but not remove) the User Agent string in HTTP requests as well as in `navigator.userAgent`

Motivation

The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.

Some parts of it, such as the browser version and the OS version, can be frozen without any backwards compatibility implications. Values that worked in the past will continue to work in the future.

https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/-2JIRN…

January 13, 2020

Permalink

streaming doesn't work anymore on pornhub or xhamster
but download works suddenly - which was tricky on pornhub.

January 13, 2020

Permalink

Hello, I don't know if this was covered. In numerous sites for the past 4 months or so, that yellow "pop-down" is saying do you want a site to post a page or wait or stop it. This happens whether I am looking at email or Courage.org or Reuters or several other sites. This disrupts the using of the computer more and more. Anything I could do to lessen this happening? Thank you so much in advance.

January 14, 2020

In reply to boklm

Permalink

To _okim (my letter _ is fried in my computer): Thank you for asking. The yellow _anner that "pops down" from the top states- "A we_ page is .slowing down your _rouser. What would you like to do? Stop it // Wait // . Sometimes it still pops down when I answer it! (Perhaps it doesn't like my answer). Any ideas how to lessen this happening? Thanks! PS Usually I choose Stop it, although I have tried them all including the X for hiding the thing.

Your broken B key is terrible for your privacy. I've been able to look in old posts and find you every time no matter what name you post as. Use your OS's virtual keyboard or keep Character Map open to copy "b" into your clipboard so you can paste it. Basic keyboards are not expensive as far as parts go. You can find used ones at secondhand stores, ebay, craigslist, from friends, or even in trash bins sometimes. If you have a laptop, there are portable USB ones. Or you could open it up to try and repair it.

January 13, 2020

Permalink

after the update, tor become seriously slow. i try back to 9.02 but it also slow. Something happen to TOR network especially obs4.

January 14, 2020

Permalink

The link from the download page points to 9.0.2, but I changed everything to 9.0.4 and found it, hope that's safe. Just fyi so you can change the link

January 14, 2020

Permalink

Many thanks to Mozilla and the Tor Browser team for this critical security update!

But the most lethal threats to Tor may be legal, not technical. The DOJ backed away from their first attempt to force Apple to write malware to unlock a dead terrorist's phone, but now they are trying again:

thehill.com
Apple rejects Barr claim that company has given no 'substantive assistance' in Pensacola shooting probe
Justin Wise
13 Jan 2020

> Apple is refuting Attorney General William Barr's claim that the company has not given federal investigators "any substantive assistance" in its investigation into a December shooting at a Pensacola, Fla., military base that left three dead. The company also reiterated its stance on protecting encrypted devices in wake of Barr's push for law enforcement to gain access to the gunman's iPhone communications. Barr leveled the accusations against the Silicon Valley giant during a press conference Monday in which he detailed the findings of an investigation into the massacre, which was carried out by a member of the Royal Saudi Air Force who had enrolled in the Naval Air Station Pensacola training program. Lt. Mohammed Saeed Alshamrani killed three U.S. sailors and wounded eight others after entering the naval station grounds on Dec. 6.

One of the most frustrating aspects of this insanity is that DOJ has not even attempted to explain in rational terms what it expects to learn if it could decrypt the phone. However numerous NCTC and FBI documents (published at sites like publicintelligence.net) show that USG is obsessed with discovering "predictors" for which persons will commit terrorist acts in the future, a goal which is almost certainly quite impossible, given the extreme rarity of actual terrorists (i.e. not journalists and civil rights workers who are often absurdly labeled "terrorists" by governments and their media shills, offended CEOs, angry cops, etc).

January 14, 2020

Permalink

Has this been addressed?

https://winaero.com/blog/update-mozilla-firefox-to-fix-a-critical-flaw/

Update Mozilla Firefox to fix a critical flaw
Mozilla has advised all users of its Firefox browser to update to the latest version in order to fix a highly critical security flaw that could allow attackers to take over your computer.
Firefox Quantum Logo BannerThe company revealed that a "security firm [called] Qihoo 360 reported a vulnerability that was used as part of targeted attacks on a local network". and that they released the patch on Wednesday morning. The flaw is a memory bug that would allow hackers to execute code on a hacked system that would allow them to take it over.

The CISA has also advised all users and administrators to perform an update to their Firefox installations, saying that they should "review the Mozilla Security Advisory". Standard users can simply update Firefox over the air, although the browser may have applied updates automatically, as it is set to do.

Check your Firefox version number
It's simple to check if the version of Firefox you're running is up to date. To see what version you are on, simply type about:support in the omnibox (main search bar) and look under 'Application Basics' for the version number. If you are on Firefox 72.0 or earlier, you're at risk to the fatal bug. Version 72.0.1 and later are protected.

try wikipedia, and try a search of
vpn vs tor

tor should give better privacy.

I've never used a vpn.

as i understand:

For tor browser, the route "out" is: your PC, then the ISP you are connected to, then through three tor "nodes", then the website that your browser shows you.
The locations of the three tor nodes change at times.
So, your ISP (of wherever you are) sees changing IPs of the first tor node.
Each website sees the changing IPs of the third tor node.

For vpn, the route "out" is: your PC, then the ISP you are connected to, then the vpn, then the website that your browser shows you.
The vpn's IP is the same (Other than they might use more than only one IP address).
So, your ISP (of wherever you are) sees the IP of the vpn.
Each website sees the IP of the vpn.

Some businesses have vpn for employees to connect to from home, or from elsewhere away from the business location.

People who use vpn often (try to) choose one with server located in a legally "safer" country. (stronger privacy laws)

I believe those are the most significant differences.

January 16, 2020

Permalink

GRRRR ... here we go again ... How do you put tabs below address bar ?
this has been a continuous complaint for over 10 yrs and firefox coders still won't give the option of switching it to where we want/need it as part of regular settings! Why?

Major browsers haven't had tabs below the address bar for a very long time. Tabs below is not intuitive from a user experience perspective. Each tab loads its own URL, so when a user clicks on a different tab, the state of that tab including its URL should be inside the frame of that tab; therefore, URL under the tab button. As for whether there should be an option to move it back, ask Mozilla (on bugzilla) and every other major browser because it's outside of the scope of Tor Project.

January 18, 2020

Permalink

B"H

Hello

The new Tor 904 version doesn't open on my computer, but does leave a Firefox.exe process running.

Please fix this.

Sincerely, Dovid

January 18, 2020

Permalink

Improve the indicators of a new version.

Most of the time, I start a new identity rather than close Tor browser. Today, I closed it to fix a taskbar problem. When I reopened Tor browser, I watched it install an update, and after it started, about:tor said 9.0.2. I opened Help -> About Tor Browser, and it had a button to restart and apply an update even though I just did. I clicked, it closed, installed an update, and said 9.0.2 again. I went to About Tor Browser, and it had the button again. It wasn't updating. I had more than enough space free. Maybe I ran out of space at some point weeks ago, but I had enough now. There wasn't any indication that versions above 9.0.2 were released. What caught my attention was the progress bar showing that Tor browser always installed an update every time I opened it. To a novice, that's all they would see. They wouldn't know they should open Help menu or the website or blog. They would think 9.0.2 was the latest version and be stuck on it none the wiser.

Linux 64, Cinnamon

I deleted the folder and installed 9.0.4 from scratch. About Tor Browser says "up to date". I'll remember to watch if it auto-updates to future versions properly. In blog posts for 9.0.1 to 9.0.3, a few comments talked about red screens, "Something went wrong", and problems updating. I never saw a red screen. I don't think my problem had something to do with to theirs.

If you still have a copy of the non-working 9.0.2, you can help us debug the issue, by setting the pref app.update.log to true, and starting the browser with the `--debug` option. You might also be able to find some update logs in the updates/ directory.

January 27, 2020

In reply to boklm

Permalink

Unfortunately, I don't. I deleted it to avoid conflicts with two versions at the same time. If it happens again, I'll look for your instructions here and reply in the newest TB post.

January 22, 2020

Permalink

Tor Browser Android

recommends about:config

browser.privatebrowsing.autostart ; false

January 22, 2020

Permalink

Tor Browser android bug fix about:comfig -> browser.privatebrowsing.autostart ; true
good! -> browser.privatebrowsing.autostart ; false

January 22, 2020

Permalink

Don't k3if this is 3bug or what but Tor update broke my computer. I allowed an update about a day ago and have not been able to access the internet since then. The ISP see my computer online sending and receiving, but I cannot access the internet. rebooting and resetting the computer and router doesn't help. I've run out of ideas about a possible solution.
Ii am now afraid to do any further Tor updates, which probably means I won't be able to use Tor.
I looked at the support portal but I don't see anything there that might help.

January 24, 2020

Permalink

What is this?

Open: Options->Tor->Tor logs.
In Browser Console:
Tor WARN: Error replacing "X:\...\TorBrowser\Data\Tor\torrc": Permission denied

January 27, 2020

In reply to boklm

Permalink

"Tor Browser needs write permission"

The question is: Why and what the TB needs to write in the torrc?
Why the TB is 'touching' the torrc file without any neccesity?

January 24, 2020

Permalink

The 'Guard' IP doesn't change between Tor Browser (TB) restart or when clicking on 'New Identity' (NI) or keyboard shortcut Ctrl+Shift+U.

  1. So far I've re-installed 9.0.4 on top of the old 9.0.4, which didn't resolve the issue.
  2. Then I delete all the files and folders from Tor directory, except Profile directory, and re-installed 9.0.4. Still same problem

Last time this happened was during a 8.5.x (or maybe 8.4.x). I can't recall what was the solution (but I think someone suggested, just installing again over the old version), but that did resolve the problem, until now. I don't know which version of 9.0.x started this.

January 27, 2020

In reply to boklm

Permalink

Thank you for the explanation. Do you know exactly which version and when, this was changed from the previous behavior of changing guard during every browser restart or with every 'New Identity'?

January 27, 2020

Permalink

dispite that i have set security lvl to safest,i will get this when i enter a dark web site ; WARNING: You have javascript enabled in your browser! Disable this for your own safety!
Having Javascript enabled may result in having your private IP leaked and having your computer fingerprinted! so for now i will not use TOR for anything,you can roll back or fix it so script show allowed or default/denied too while you are at it

January 31, 2020

Permalink

The download function was broken. When it went to the last second of the download, it stopped and didn't complete. Please fix it.

February 01, 2020

Permalink

The tor browser fails to start correctly at the first time I start it. I have to try it twice, three times. Please fix the problem.

February 04, 2020

Permalink

Please add tor cirrcuit in browser...or simple gui function to user could chance exit nodes from browser..not from txt config file..
I thing you do big mistake to erase tor cirrcuit..this function was from years...
Many people are not happy from this change..to what direct tor browser is going now?? to the not transparanency ?
Tor cirrcuit schemat must be again..in tor browser.

February 08, 2020

Permalink

Probably in order to sell their VPN services some companies are saying that IPV6 can leak your real IP.

I see that under about:config network.dns.disableIPv6 the default is false.

Would it not be better to have this changed to true or, for the security-minded user, should he/she change this setting to 'true'.

Your thoughts would be appreciated.

Thank you

February 09, 2020

Permalink

When I requested a bridge it failed to connect to any site. the bridges used below
[bridges lines removed, please don't share bridges publicly]

Auto-play on youtube works for me. Media auto-plays except if I open it in a new tab in the *background* that was not the active tab I was looking at. Autoplay of media is disabled in tor browser on first opening a page (any page, not simply youtube) because autoplay lowers privacy. If you accept the risk to enable it, you can read Mozilla's help here:

https://support.mozilla.org/en-US/questions/1238033
https://developer.mozilla.org/en-US/docs/Web/Media/Autoplay_guide

That is, unless you are talking about Noscript's yellowish layer covering media you haven't allowed in Noscript. Make sure you are on Standard security level unless you know how to configure Noscript.

February 11, 2020

Permalink

The new version of tor shrinked the window. It brings an awful user experience to me. Please give me an option to turn it off. How to off it.

February 11, 2020

Permalink

when you maximize tor browser, there's a gray border around the content. I know that you're not supposed to maximize but I use tor for non-sensitive things to help those who do sensitive things and I'd really just like a proper browser window