New Release: Tor Browser 9.0.5
Tor Browser 9.0.5 is now available from the Tor Browser download page and also from our distribution directory.
This release features important security updates to Firefox.
This release updates Firefox to 68.5.0esr, NoScript to 11.0.13, and on desktop, Tor to 0.4.2.6. We also added a new default bridge and backported a few improvements from the alpha series.
The full changelog since Tor Browser 9.0.4 is:
- All Platforms
- Windows + OS X + Linux
- Bump Tor to 0.4.2.6
- Bug 32132: Re-enable jemalloc for Windows users
- Build System
Please note that the comment area below has been archived.
Maraming salamat po Tor…
Maraming salamat po Tor Project!
are you thinking about a…
are you thinking about a solution when the entrynode is overloaded? like switching to another?
With the new update, when I…
With the new update, when I go into the Responsive Design Mode the option to change from responsive to a different type of selection will not show up anymore. fix please
What is the "Responsive…
What is the "Responsive Design Mode"? Does it work in the latest Firefox ESR?
Main 3-lines menu -> Web…
Main 3-lines menu -> Web Developer -> Responsive Design Mode
It has been in Firefox for a long time now. Yes, it is in ESR.
it's one of the web dev…
it's one of the web dev tools. Also can be disabled in Style editor options
in regular browser view, ctrl+shift+m squeezes the web page into a phone/tablet size view
Really cool ! :D
Really cool ! :D
Snowflake is available as…
Snowflake is available as bridge?
Not yet in the stable…
Not yet in the stable release. It is however available in the alpha:
I keep going to full screen…
I keep going to full screen accidentally with clicking the mouse, I assume it thinks I did "double click"
Is there a way to disable Full Screen mode?
or at least disable the gesture to go to Full Screen mode with "double click"?
I don't think there is a way…
I don't think there is a way to disable maximizing. Maybe in the configuration of your window manager (depending on which OS you are using).
However, having the Tor Browser window maximized should not be an issue with letterboxing:
I just now heard about this…
I just now heard about this letterboxing technique for the first time; great idea!
Once more, kudos to the Tor team for all their effort!
@boklm, fix the link to…
@boklm, fix the link to wikipedia's Letterboxing (filming) on that support page. Its end parenthesis is outside the [a] tag. ".../wiki/Letterboxing_(filming"
what about video playback?…
what about video playback? there is no letterboxing in that
Good point! I don't know if…
Good point! I don't know if there are techniques to fingerprint the user's dimensions in the video API or PDF display like there are in CSS. I don't know if there are special techniques in Responsive Design Mode, either.
It sounds like you have…
It sounds like you have double-click mapped to full screen or maximize in your OS configuration for window display or mouse buttons. I couldn't find anything in Firefox or Tor Browser
about:configthat affects it, but you can take a look if you want and search there for "full" or "gesture" and look up what those variables do. On most platforms, browser full screen toggle is mapped to the F11 key, and middle-click is mapped to auto-scroll toggle. Or it could be a different feature in your OS. Or your mouse could be broken.
Am I missing something? When…
Am I missing something? When will TB4A come to f-droid? Guardian project repo is outdated and the webpage points to a broken link on f-droid. The past two versions I had to download the apk on my desktop, verify the signature, then transfer to my phone and install. I have OpenKeychain but I haven't figured out how to verify a detached signature on my phone. You guys went to all this work to make an awesome replacement for Orfox, seems dumb we can't get it through f-droid.
Without trying to be rude,…
Please I am not trying to be rude, but to help others who read this.
You can connect direct to the Guardian Project's Repository using the F-Droid client
see "https://support.torproject.org/tormobile/tormobile-7/" which is better as it is more direct.
"In the meantime you can use [the] F-Droid [client] to download Tor Browser for Android by enabling the Guardian Project's Repository."
In the F-Droid Client
F-Droid Client > Settings > Repositories > and enable "Guardian Project Official Releases"
Yes I have the GP repo…
Yes I have the GP repo enabled in f-droid, but at the time I wrote that, it was still two versions behind (9.0.3). I had to manually download 9.0.4 & .5, check signatures and sideload apk. It looks like it's up to date now but it takes way too long
Uploading to f-droid is…
Uploading to f-droid is still a manual process, where we ask a person from the guardian project to do it for us. In the future we hope to automate the process more, so it can be done faster.
I see. Thanks for the…
I see. Thanks for the explanation. Is there a reason TB can't be uploaded to the default f-droid repo? Would it not be accepted? On the f-droid repo, developers can do the uploads themselves, so I imagine you could integrate that into the existing release process pretty easily. Otherwise, I guess TP would have to run its own repo server? (Which is not all that difficult, from what I remember)
We are planning to do this…
We are planning to do this at some point. However we are currently busy with the switch from Fennec to Fenix.
crashing on startup macos 10…
crashing on startup
Is there an error message?
Is there an error message?
Where is the dark letterbox…
Where is the dark letterbox theme? I went to Customize, Themes, Dark, and it's still white.
Dark letterbox theme will be…
Dark letterbox theme will be in version 9.5.
Right now I'm in China and…
Right now I'm in China and using OBFS4 connect to Tor network, is this because OBFS4 get developed that the Chinese party couldn't detected OBFS4 again?
Yes, obfs4 (and its…
Yes, obfs4 (and its predecessor, ScrambleSuit) were specifically developed to defend against "active probing attacks" which the Great Firewall invented to detect and block circumvention protocols.
I thought that obfs4 did not…
I thought that obfs4 did not work for a while in China and that is why people were using Meek which no longer works because of Google shenanigans.
yay i'm happy ( i don't know…
yay i'm happy ( i don't know why)
Debian uses Tor version 0.3…
Debian uses Tor version 0.3.5.8-1, while newest stable release is 0.4.2.6
is this a problem?
No, it's ok. 0.3.5.x is one…
No, it's ok. 0.3.5.x is one of the long-term supported series.
Next time, ask in a post whose title is "tor" rather than this post whose title is "tor browser".
In the short term, it's ok,…
In the short term, it's ok, but in the long term, it is NOT recommended to install tor packages from Debian's or Ubuntu's repositories. Instead, use Tor Project's repository unless your network blocks it or you have some compelling reason not to.
Twitter is acting…
Twitter is acting differently. It keeps returning "Something went wrong" and "Sorry, you are rate limited. Please wait a few moments then try again" when I try to look at tweets, searches, and settings. The search page and settings page look different, too. Try searching for something by the Twitter search icon in the address bar. Here's a screenshot https://i.postimg.cc/sxmtQ8TB/twitter.png
Since approx 2300 hrs GMT on…
Since approx 2300 hrs GMT on Feb 12th, my Tor has been disrupted - losing its connections every few minutes. My other browsers are not having this problem. I'm assuming this is due a problem in the new updated Tor
How are referers handled in…
How are referers handled in one tab? How are they handled if I open a link in a new tab? If referers are enabled, what good is creating a new separate circuit for the second domain if the second domain is told about the first domain?
Click here and find out:…
Click here and find out: https://www.whatismyreferer.com/
To answer your question, I think TB uses the same referer behavior as regular Firefox with Tracking Protection. It looks like referers are sent any time you click a link, even in a new window or tab. For cross-domain referers, only the domain part is sent, not the path or query string.
Also, I don't think TB does create a new circuit for each domain? I'm pretty sure by default it reuses the same circuit(s) for up to 10 minutes across all tabs/windows of the same TB instance. Each browser session is considered a single "anonymity zone", it doesn't try to prevent tabs/windows from being linked until you press new identity. TB is not meant to provide per-domain isolation within the same session. If you need that feature, you have to run multiple TB instances.
> I don't think TB does…
> I don't think TB does create a new circuit for each domain?
It does. My circuit display changes, and this says every new domain gets its own circuit. https://support.torproject.org/tbb/tbb-40/ That also links to a design document section on Cross-Origin Identifier Unlinkability. It doesn't mention referers directly, and it's a little too complicated for me to understand.
Yes. Each first-party gets…
Yes. Each first-party gets its own circuit (where first-party is roughly the the top-level domain plus the subdomain you see in the URL bar, such as "example.org", "google.com"). When you go to www.example.org Tor Browser uses the same circuit for the requests as when you visited accounts.example.org five minutes ago. If you visit both sites at the same time, then the requests/responses will use the same circuit.
For the referer header, as the previous response said, Tor Browser sends the entire URL when you move from one page to another on the same domain. When you move from one domain to another, then the destination only receives the "origin" in the referer header.
You can see some of the (more technical) options here:
In particular, we set `network.http.referer.defaultPolicy` as `2`, which is `strict-origin-when-cross-origin`. From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Poli… :
"Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP)."
If you use onion services, then Tor Browser does not send a referer headed from one onion serivce to another.
But why? Why does Tor…
But why? Why does Tor Browser send referer by default at all?
Yes it might break a few pages on the internets, maybe some search engines and banking and stuff like that, but the referer option should be up to the user to decide, not Tor Browser.
I like how the direction of Tor within the past decade has been 'one-click' to accomodate the masses, but it might be nice to have clickable menu options with these type settings to give users more fine tune control over their session anonymity, without having to delve into the torrc file, the registry or messing with proxies to strip headers out.
The referer option is still…
The referer option is still up to the user to decide, there is nothing preventing you from changing the pref controlling this. However it is not recommended to change it as it will make your fingerprint different from most other users.
OCHs like k2s are blocking…
OCHs like k2s are blocking Noscript.
Drop the acronyms to…
Drop the acronyms to unfamiliar audiences. Spell it out. Ambiguity prevents solutions.
Happy "I love Free Software"…
Happy "I love Free Software" Day. It's a celebration started by Free Software Foundation Europe. Thank you, Tor Project.
Good day. new to this and I…
Good day. new to this and I am not able to access select sites, receiving error codes where it is NOT ALLOWED, especially with financial institutions.
Is this what a Bridge is for? Never used your site before, new to this and would appreciate some guidance & education.
No, bridges do not change…
No, bridges do not change your exit IP address, so this makes no difference for the websites you visit.
Welcome! On top of the…
Welcome! On top of the purple homepage, you'll see links to Support and Documentation. You should also read the Tor Browser User Manual. Here are two good introductions:
About error codes returned by some websites you visit, see the Support site:
There are some details and examples on the development wiki's ListOfServicesBlockingTor.
About bridges, see the following. Some things they don't say (but should, boklm!) are that if you configure a bridge relay, it takes the place of your normal guard relay. Both of these types of relays, guard and bridge, are types of the first relay (node) in your 3-relay Tor circuits.
Recently I had to start…
Recently I had to start using a bridge, otherwise I couldn't open websites. This is happening in Portugal.
A bridge should not affect…
A bridge should not affect opening websites once you are connected to Tor. A bridge is supposed to help if you can't connect to Tor at all. The first connection to Tor is shown by a progress bar before the browser opens. If you can connect Tor without a bridge, then the websites that wouldn't open probably were blocking the exit node (last node) of your circuit. In that situation, the proper thing to do is click on the lock icon in the address bar -> blue button New Circuit for this Site. If other websites open, then that one website is blocking Tor.
I'm seeing this error in…
I'm seeing this error in Android 10 when I try to connect via bridges and it just can't connect:
"- WARN: Managed proxy at '/data/app/org.torproject.torbrowser-KiFX6x3o-sapD1j17SI96w==/lib/arm64/libObfs4proxy.so' reported: error: "/data/app/org.torproject.torbrowser-KiFX6x3o-sapD1j17SI96w==/lib/arm64/libObfs4proxy.so": executable's TLS segment is underaligned: alignment is 8, needs to be at least 64 for ARM64 Bionic
- WARN: Pluggable Transport process terminated with status code 6"
What's that about?
Unfortunately the obfs4 …
Unfortunately the obfs4 (pluggable transport) bridge does not work on Android 10 (Q) within Tor Browser 9. We currently have a fix for this in the Tor Browser 9.5 alpha series (experimental).
When I navigate in my…
When I navigate in my browser to:
I see port ocsp.digicert.com on port 80.
Isn't this kind of a leak of sorts?
OCSP is https://en.wikipedia…
OCSP is https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
Those requests should be isolated by URL bar domain. Although this is not currently the case on pages showing a certificate warning:
Can a Tor browser user…
Can a Tor browser user configure how often exit nodes are changed?
I need longer time with the same IP address...
It's possible to edit the…
It's possible to edit the tor configuration. But doing this will make you distinguishable from other users.
> Can a Tor browser user…
> Can a Tor browser user configure how often exit nodes are changed? I need longer time with the same IP address...
Timeout length of stale circuits could be interesting if you also consider the thread about referers on page 1. https://blog.torproject.org/comment/286734#comment-286734 For instance, how much information is a fresh second exit told about your session on the same domain that was on its stale first exit? People spend a lot longer than 10 minutes on some sites.
My TBB can't connect to Tor…
My TBB can't connect to Tor network anymore! how can I backup the bookmark?
This page has some…
This page has some information about this:
On Windows and Linux you can find the profile directory inside the Tor Browser directory, in Browser/TorBrowser/Data/Browser/profile.default/. On macOS it is in a TorBrowser-Data directory: https://tb-manual.torproject.org/uninstalling/
You might also be able to set the TOR_SKIP_LAUNCH=1 environment variable to start Tor Browser without connecting to Tor, and then use the browser to export bookmarks.
Questions about bookmarks…
Questions about bookmarks deserve to be added to the Support site and/or TB manual. Many users ask how to backup bookmarks. Search old posts for them and their answers. Here are a few from 2019 to expand the answer:
That sounds like a good idea…
That sounds like a good idea. I opened a ticket for that:
I am unable to download the…
I am unable to download the latest TOR browser update as I cannot connect to the main web page or the download page on any browser; I receive an error stating that a secure connection could not be established, and that the security certificate exceeds the maximum length. All of my browsers are up to date and all of them give the same error. Is this still an issue on my end or is it something that needs to be fixed on the website itself?
The website works for me.
The website works for me.
> I am unable to download…
> I am unable to download the latest TOR browser update...
The latest? So you have an older version? Can you access the download page through the old version?
Since the 12 February Tor…
Since the 12 February Tor update I can no longer access my ProtonMail account, but have no problem if I go through regular Firefox. The login screen just cycles endlessly, and I also get a pop-up message across the top that says a web page is slowing down my browser - even if nothing else is open whatsoever.
Also can't make the Tor browser the default.
Any ideas on how to fix these issues?
I didn't hear about problems…
I didn't hear about problems with accessing ProtonMail in Tor Browser.
Regarding making Tor Browser the default, it seems we don't have a good method to do it:
Although maybe we can try to fix that. What OS are you using, and what happens when you try to set Tor Browser as the default?
Unable to click on…
Unable to click on checkboxes and unable to highlight & copy with new Tor update.
Which OS are you using? Do…
Which OS are you using? Do you have the same issue in Firefox ESR?
Hi! New to TOR! This isn't…
Hi! New to TOR!
This isn't working for me: "api ms win crt convert 1-1-0 dll is missing"
It seems that installing…
It seems that installing some Windows updates would fix this:
Youtube blocks tor. I can't…
Youtube blocks tor. I can't watch the videos. What should I do?
Set your security level…
Change your security level shield to Safer or Standard, and open the video page. You will see a yellow panel with a blue "S" covering video players. That's NoScript doing its job. Click the yellow panel on a player to pop-up a blue dialog window where you can allow the [MEDIA] tag so videos will play. If the blue window doesn't work on Standard, you may have to open NoScript's options and set a custom, temporary (clock icon) permission to allow [MEDIA] on that first-party domain (youtube.com) and/or the third-party domain that hosts the video file (Youtube is a third party on sites that embed youtube videos into their pages). If you want to allow everything from a domain, simply click "Temp. Trusted". Don't change anything in NoScript unless you have familiarized yourself with it already in browsers like Chrome or Firefox because customized configurations can make you distinguishable on Tor. You can reset NoScript's per-site permissions to Tor Browser default by changing your security level shield.
If you're getting CAPTCHAs or "Our systems have detected unusual traffic from your computer network" (a different issue from above), either wait ten minutes and try again, or click ⓘ (i) in the address bar -> "New Circuit for this Site", or click the New Identity broom icon next to the address bar. Then, try opening Youtube again. I seem to have better luck if I open youtube's home page before I open a video page.
As always, read Tor Project's Support and Documentation.
eally great answer; thank…
Really great answer; thank you!
I rarely try to watch videos myself, but when I try to encourage others who need Tor but do not yet recognize the fact that they need Tor to try Tor Browser, the most common complaint I hear is "Youtube didn't work".
@ Tor Project:
Please, please, please: as we all recall, the long-promised site revamp did NOT go down well with the user base and did not help resolve the difficulty of finding the most recent and best advice on how to use Tor. I ask that someone be assigned to try again.
Please bear in mind:
BTW, in the blog preview does not work. Plus NSA must find it very informative to watch posters manually write HTML code.
> begin with "last updated…
> begin with "last updated on [date]"
Wikis and generally most places that have those put it in the footer. Tor Project's Trac wiki does too.
> begin with concise presentation of the most useful information
> drill down into more complex issues second
However, in a documentation paradigm, the information is a reference rather than an interjection like a press release. Reference documents can't predict what the reader will be asking or looking for, so instead, they organize by category and/or prioritize by what readers most frequently ask. For another example, look at https://docs.python.org/
Others have proposed search features:
Yes to everything else you said. This thread should be forwarded to the Website team.
I'm using Tor version 9.0.5…
I'm using Tor version 9.0.5 on android phone using Android 9. Is there a way to view Tor logs regarding server names? I slide the screen to the left while connecting to read the logs but towards the end everything closes so fast that I cannot read anything about what country I'm connected to or what servers I'm using etc. Thank you!
I was surprised to find by…
I was surprised to find by default that there was no tick in "Prevent accessibility services from accessing your browser" considering what it says on this webpage about third party applications may be monitoring your web surfing activity.
Am I missing something?, like you have already disabled it all by default in about:support ?.
Third party applications may be monitoring your web surfing activity
considering it says
What is the impact of having Firefox Accessibility Service enabled?
Firefox Accessibility Service may negatively impact Firefox browsing performance
Third party applications may be monitoring your web surfing activity
Firefox stability may be adversely affected
I tried to preview this post but I could not see it even even though I allowed NoScript, does it work?.
I opened a ticket about this…
I opened a ticket about this:
So it turns out we already…
So it turns out we already had a ticket about this:
And the conclusion was that we can't disable accessibility services by default because re-enabling it will be difficult for the people who need it.
Info that wasn't in 26505…
Info that wasn't in 26505 when you posted it:
Thanks boklm, that is…
that is understandable, it's good to read that they are looking for Mozilla to fix this.
Could you possibly post a link to problems, advisories about things like this in the future (which may leave people open to tracking or other potential privacy leaks) and place a link on the the Tor download pages and at the top of each new Tor release blog post, so that people can take the necessary steps to work around any new problems until they get fixed? as finding out about things kike this often take a lot of digging to find and most users will probably just go ahead and start browsing.
Otherwise I and other users tend to just stubble across these things, if at all, which are often already known about, but not by the average user who may possibly never even visit the Tor blog, ot other sites, I didn't notice that setting in "Options, Privacy & Security, Permissions section, Prevent accessibility services from accessing your browser checkbox" for a day or two. so it was left turned on.
It is not clearly marked in Firefox (as to what it leaves you open to) until you click further to investigate it.
I think considering that it presently leaves you open to being tracked that Mozilla should separate it and list it under Privacy and Third Party Tracking Data along with its other interned use as it is easily missed, even though I have viewed that setting a few times already I still had to look up where to find it again today after failing to find it again, ts to well hidden sitting at the end of a list looking all Innocent.
This option not being…
This option not being checked does not leave you open to being tracked.
This option can prevent a malicious program from monitoring the browser using accessibility services. But a malicious program probably could do it in other ways too, so it's unclear whether this option offer much protection.
Ok thanks I guess I took …
Ok thanks, I guess I took "Third party applications may be monitoring your web surfing activity" to just mean tracking in general terms.
One unrelated problem which I came across the other day is:
[Show all bookmarks] if you type or paste a search term into the search box then click on it to edit it (because you spelt it wrong) or if you click on a white area of the search box it highlights the entire search term which then it freezes it, you can not un-highlight it by clicking on the white space or the word, you can't even use backspace, all you can do is delete it.
I did find one way out of it today though, if you use the arrow keys after you highlight it, it will un-highlight it and you can then edit away as normal, it does need fixing though.
Can you reproduce this…
Can you reproduce this problem in vanilla Firefox ESR?
Dont know if its the right…
Dont know if its the right place, but still post it here.
in android version of torbrowser, the default language setting is "System default", which causes the system language to appear in the HTTP accept headers. For less populus languages this effectively makes torbrowsers fingerprint quite unique, at least according to panopticlick.
Changing intl.accept-language to something more common like en-Us, en seems to correct it.
Thanks for the report. I…
Thanks for the report. I opened a ticket about this to investigate the issue:
Noscript does not save my …
Noscript does not save my "trusted" settings. Every time I load TOR I have to go into Noscript options, trusted, and re-disable the "media" setting.
Even then can't really trust the noscript settings to do what they say. I had 3 tabs loaded each with different "temp trusted" settings, and then the noscript menu went blank, displaying that blankness in a larger noscript window i hadn't seen before.
noscript does not save per…
noscript does not save per-site permissions, as it can be dangerous to record that a site has been visited. There is however a preference that can be set to change this:
> the noscript menu went…
> the noscript menu went blank, displaying that blankness in a larger noscript window i hadn't seen before
The toolbar icon's list often opens empty for me. Move your mouse arrow up and down on the blankness, and the lines of permissions should appear. I don't know why it happens.
My TOR Browser is not never…
My TOR Browser is not never default my browser! may-be is not possible to save configuration.
Have you some ideas? I must reload again TOR 9.0.5 ?
Avast report virus on this…
Avast report virus on this version 9.0.5: Win64:Evo-gen in nssdbm3.dll and mozi....dll(forget the name)
Make sure to update your antivirus scanner software's virus definition files. After updating, scan again. To compare results from many scanners, you could upload the reported files to https://www.virustotal.com/
I use "UseEntryGuards 0". I…
I use "UseEntryGuards 0". I don't want the entry node always keep the same. Is that dangerous?
Yes, this is not a good idea…
Yes, this is not a good idea.
See Tor Guard Specification if you want more details: https://gitweb.torproject.org/torspec.git/plain/guard-spec.txt
And blog posts about this: https://blog.torproject.org/category/tags/entry-guards
Hi in version 9.0.5 every…
in version 9.0.5 every time i start Tor browser the size of the browser's window, zoom setting of websites and many more setting keep resetting to default values
I enabled history, put browser in standard security mode and disabled "always in private mode" option
but problem still exist
please help me with this