New Release: Tor Browser 9.0.6

Tor Browser 9.0.6 is now available from the Tor Browser download page and also from our distribution directory.
This release features important security updates to Firefox.
This release updates Firefox to 68.6.0esr and NoScript to 11.0.15.
Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this. If you require that javascript is blocked, then you may completely disable it by:
- Open about:config
- Search for: javascript.enabled
- If the "Value" column says "false", then javascript is already disabled.
- If the "Value" column says "true", then either right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.
Update: Noscript 11.0.17 should solve this issue. Automatic updates of Noscript are enabled by default, so you should get this fix automatically.
Update 2: We received a report that the noscript update is not completely mitigating the issue. We are working on an update that will completely disable javascript using the javascript.enabled pref.
The full changelog since Tor Browser 9.0.5 is:
tor-browser-9.0.6-android-**…
tor-browser-9.0.6-android-****-multi.apk
tor-browser-9.0.6-android-****-multi-qa.apk
How do the "qa" versions differ from the standard version?
the -qa version is not…
the -qa version is not signed.
Is that the only difference?…
Is that the only difference? What's the benefit of having a signed and unsigned release?
Android uses apk signing for…
Android uses apk signing for accomplishing (at least) two goals: 1) verify if the apk was modified after the developer published it, 2) ensure an apk that claims to be a newer version of an app you already installed is actually produced by the same developer (the person who controls the required cryptographic signing key).
To answer your question, the "multi-qa.apk" file is cryptographically signed using a key that is available to everyone (https://gitweb.torproject.org/builders/tor-browser-build.git/tree/proje…). The "-multi.apk" version is signed by a key only controlled by a few Tor Browser developers. Therefore, you should only install the "-multi.apk" version, unless you are not concerned with installing a modified/tampered/backdoored version of Tor Browser. (You can use the PGP signature separately to verify the authenticity of the multi-qa.apk file, but Android won't have any way of verifying the authenticity, so you must be extra careful in that case.)
So the -qa version is signed…
So the -qa version is signed using a publicly available key, but what for? Is it for developers?
Yes. The -qa version is the…
Yes. The -qa version is the version we generate during our builds, before the signing process.
Why doesn't FlagFox work on…
Why doesn't FlagFox work on Tor? I get a popup about 'Your current proxy settings do not allow local DNS requests."
How do I get these messages corrected?
You probably shouldn't…
You probably shouldn't install addons in the Tor Browser. It can make your browser fingerprint unique or at least less anonymous. That makes it easy to correlate all your activities.
This addon even seems to do dangerous stuff such as bypassing Tor to resolve DNS. That likely sends the names of all the websites you visit straight to your internet provider.
Configure FlagFox to make…
Configure FlagFox to make DNS requests through Tor instead of telling your ISP the sites you browse. Or find a different way to get FlagFox's features. Or don't use Tor Browser.
https://en.wikipedia.org/wiki/DNS_leak
https://support.torproject.org/tbb/tbb-14/
https://2019.www.torproject.org/projects/torbrowser/design/#proxy-obedi…
https://trac.torproject.org/projects/tor/wiki/WikiStart#DNSleakpreventi…
Why would anybody want to do…
Why would anybody want to do local DNS requests when using TOR? If you are using clear DNS, well, then your ISP can see which websites you are visiting, as if you weren't using TOR at all. And if you are using DNS over HTTPS, then one who manages the DNS server can track you, again, as if you weren't using TOR at all.
You shouldn't use other…
You shouldn't use other extensions with the TOR Browser, especially ones that send requests, and privacy tools. Just don't use FlagFox, you give up your anonymity that way since it connects to a service with each website you visit to determine the location, which essentially gives the service access to every site you visit which ruins the purpose of using TOR in the first place.
Im very happy
Im very happy
Hello, when will the Android…
Hello, when will the Android version be pushed. Thanks & love your project.
Automatic update disabled…
Automatic update disabled for this release?
Updates are enabled.
Updates are enabled.
Is there any more…
Is there any more information regarding the javascript bug?
We are working on a fix. We…
We are working on a fix. We will provide more information when the issue is fixed.
The "about tor browser"…
The "about tor browser" dialog reports that it's up to date, but displays "9.0.5" as the version (68.5.0esr, 64-bit) both on Windows and Linux.
Is it still the case now? …
Is it still the case now?
Updates to 9.0.6 are enabled, and it is working for me.
> The "about tor browser"…
> The "about tor browser" dialog reports that it's up to date, but displays "9.0.5"
I had a problem like yours with 9.0.2. https://blog.torproject.org/comment/286480#comment-286480 But I didn't have a problem updating 9.0.5 to 9.0.6.
9.0.6 is not showing up in…
9.0.6 is not showing up in the auto-update yet.
it is okay now
it is okay now
When will Snowflake bridge…
When will Snowflake bridge be included in the stable release of the Tor browser?
There's no schedule for it…
There's no schedule for it yet, but we are working on changes that may make Snowflake usable enough to be included in the stable browser. You can follow that work here:
* https://bugs.torproject.org/33336
* https://bugs.torproject.org/33336
* https://lists.torproject.org/pipermail/anti-censorship-team/2020-Februa…
How can i get "Updates…
How can i get "Updates disabled by your system administrator"(about:preferences#general) reliable in the Tor Browser like in Firefox?
I don't understand what you…
I don't understand what you are asking. What is the issue exactly?
Exact working definite…
Exact working definite instruction to SWITCH OFF Automatic Updates -for TBB there seems to be only babble.
With Enterprise Policies -the only way for- in Firefox i can switch off Updates. FF notes "Your browser is being managed by your organization" and "Updates disabled by your system administrator" and no Hostname/notice in about:networking about the updateserver address.
In TBB Enterprise policies aren't working and browser.policies.testing.disallowEnterprise, app.update.disabledForTesting has no function? How can i switch off all automatic updates in TBB?
Are you aware that TBB…
Are you aware that TBB downloads and verifies its updates through Tor and not through the normal internet?
How can i switch off all…
How can i switch off all automatic updates in TBB?
Yes.
Yes.
Why no 'tbb-backport' from…
Why no 'tbb-backport' from alphas in this release?
Note: We are aware of a bug…
Ticket?
We don't have a ticket yet…
We don't have a ticket yet. We are working on a fix and will publish more information when it is fixed.
Bug 33535: Patch openssl to…
Windows only?
Yes, the file we patched is…
Yes, the file we patched is only used in Windows builds.
When will the fix for the…
When will the fix for the android bridges will be patched into a stable version?
где искать для 32 бит
где искать для 32 бит
https://www.torproject.org…
https://www.torproject.org/download/languages/
Why no backport of Bug 32493?
Why no backport of Bug 32493?
Nice work!
Nice work!
Win32 TBB doesn't play mp4…
Win32 TBB doesn't play mp4 videos: https://www.dailymotion.com/video/x73vs6r
Win32 isn't alone. It's…
Win32 isn't alone. It's Dailymotion or mp4s. I think it's Dailymotion.
it is playing them fine for…
it is playing them fine for me on 9.0.6, try a reinstall?
32-bit TBB for Win? On what…
32-bit TBB for Win? On what Win?
Upon opening the TBB (Linux)…
Upon opening the TBB (Linux) prior to the 9.0.6 update, it did not inform me that there was an update to 9.0.6, or any update at all, it just simply refused to load any page. It was only when I tried Help/About that it said I needed to restart for the update to install. Had I not thought to check Help/About just for the hell of it, I'd still be sitting here with the older version and sites which wouldn't load.
Please address this. Thank you.
tor is the greatest…
tor is the greatest protection thank you.
my pet goose has been…
my pet goose has been talking about this update all day! honk honk honk and that's the truth!
What mean 'copyright year?'
What mean 'copyright year?'
openssl is embedding a…
openssl is embedding a string like "Copyright (c) 1998-2020" where 2020 is the year when it was built.
I checked about:config and…
I checked about:config and woff2 fonts are stll on true, even on highest security level.?