New Release: Tor Browser 9.0.6

by sysrqb | March 12, 2020

Tor Browser 9.0.6 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 68.6.0esr and NoScript to 11.0.15.

Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this. If you require that javascript is blocked, then you may completely disable it by:

  • Open about:config
  • Search for: javascript.enabled
  • If the "Value" column says "false", then javascript is already disabled.
  • If the "Value" column says "true", then either right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

Update: Noscript 11.0.17 should solve this issue. Automatic updates of Noscript are enabled by default, so you should get this fix automatically.

Update 2: We received a report that the noscript update is not completely mitigating the issue. We are working on an update that will completely disable javascript using the javascript.enabled pref.

The full changelog since Tor Browser 9.0.5 is:

  • All Platforms
    • Update Firefox to 68.6.0esr
    • Bump NoScript to 11.0.15
      • Bug 33430: Disable downloadable fonts on Safest security level
  • Build System
    • Windows
      • Bug 33535: Patch openssl to use SOURCE_DATE_EPOCH for copyright year

Comments

Please note that the comment area below has been archived.

March 12, 2020

Permalink

tor-browser-9.0.6-android-****-multi.apk
tor-browser-9.0.6-android-****-multi-qa.apk
How do the "qa" versions differ from the standard version?

Android uses apk signing for accomplishing (at least) two goals: 1) verify if the apk was modified after the developer published it, 2) ensure an apk that claims to be a newer version of an app you already installed is actually produced by the same developer (the person who controls the required cryptographic signing key).

To answer your question, the "multi-qa.apk" file is cryptographically signed using a key that is available to everyone (https://gitweb.torproject.org/builders/tor-browser-build.git/tree/proje…). The "-multi.apk" version is signed by a key only controlled by a few Tor Browser developers. Therefore, you should only install the "-multi.apk" version, unless you are not concerned with installing a modified/tampered/backdoored version of Tor Browser. (You can use the PGP signature separately to verify the authenticity of the multi-qa.apk file, but Android won't have any way of verifying the authenticity, so you must be extra careful in that case.)

March 16, 2020

In reply to sysrqb

Permalink

So the -qa version is signed using a publicly available key, but what for? Is it for developers?

You probably shouldn't install addons in the Tor Browser. It can make your browser fingerprint unique or at least less anonymous. That makes it easy to correlate all your activities.

This addon even seems to do dangerous stuff such as bypassing Tor to resolve DNS. That likely sends the names of all the websites you visit straight to your internet provider.

Configure FlagFox to make DNS requests through Tor instead of telling your ISP the sites you browse. Or find a different way to get FlagFox's features. Or don't use Tor Browser.

https://en.wikipedia.org/wiki/DNS_leak
https://support.torproject.org/tbb/tbb-14/
https://2019.www.torproject.org/projects/torbrowser/design/#proxy-obedi…
https://trac.torproject.org/projects/tor/wiki/WikiStart#DNSleakpreventi…

Why would anybody want to do local DNS requests when using TOR? If you are using clear DNS, well, then your ISP can see which websites you are visiting, as if you weren't using TOR at all. And if you are using DNS over HTTPS, then one who manages the DNS server can track you, again, as if you weren't using TOR at all.

You shouldn't use other extensions with the TOR Browser, especially ones that send requests, and privacy tools. Just don't use FlagFox, you give up your anonymity that way since it connects to a service with each website you visit to determine the location, which essentially gives the service access to every site you visit which ruins the purpose of using TOR in the first place.

March 12, 2020

Permalink

The "about tor browser" dialog reports that it's up to date, but displays "9.0.5" as the version (68.5.0esr, 64-bit) both on Windows and Linux.

March 13, 2020

Permalink

How can i get "Updates disabled by your system administrator"(about:preferences#general) reliable in the Tor Browser like in Firefox?

March 16, 2020

In reply to boklm

Permalink

Exact working definite instruction to SWITCH OFF Automatic Updates -for TBB there seems to be only babble.
With Enterprise Policies -the only way for- in Firefox i can switch off Updates. FF notes "Your browser is being managed by your organization" and "Updates disabled by your system administrator" and no Hostname/notice in about:networking about the updateserver address.
In TBB Enterprise policies aren't working and browser.policies.testing.disallowEnterprise, app.update.disabledForTesting has no function? How can i switch off all automatic updates in TBB?

March 13, 2020

Permalink

Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this.

Ticket?

March 13, 2020

Permalink

Upon opening the TBB (Linux) prior to the 9.0.6 update, it did not inform me that there was an update to 9.0.6, or any update at all, it just simply refused to load any page. It was only when I tried Help/About that it said I needed to restart for the update to install. Had I not thought to check Help/About just for the hell of it, I'd still be sitting here with the older version and sites which wouldn't load.

Please address this. Thank you.

March 13, 2020

Permalink

my pet goose has been talking about this update all day! honk honk honk and that's the truth!

March 13, 2020

Permalink

In your instructions to disable javascript, you should mention that false will deviate from the fingerprint camouflage if you're in Safer and Standard modes. It's intended to be done in Safest mode. Toggle it back to true (default, not bold) after the patch is released for it.

March 13, 2020

Permalink

> Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this.

Does this explain why my Tor circuits appear to always use the same family of exit nodes? :-(

March 16, 2020

In reply to boklm

Permalink

Thanks for the reply, but can you say anything at all about what might lie behind the experience I reported?

I should have mentioned that I use Tails booted from a live DVD (verified the ISO before burning). Fortunately, just as Tails 4.4 was published and I (immediately) started using it, the misbehaving large family of fast exit nodes seems to have largely vanished. I'd like to know whether it was caught spying and kicked off the Tor network by TP, or if there is some other explanation.

If TP had anything to do with getting that family out of (almost all) of my circuits, thanks much, because something was obviously very wrong.

Tails 4.4 with security slider on "most secure" may not entirely block Noscript? Could the same issue with Tails 4.3 help explain what I saw? If so, continued monitoring of the suspect family will be needed, assuming it has not been banned.

Could this have been the latest Carnegie-Mellon SEI attack on the Tor network?

The exit node is selected by the client, randomly. There is no reason that it would select an exit node from the same family all the time. And whether or not javascript is allowed to run in the browser does not affect at all the selection of exit nodes.

March 17, 2020

In reply to boklm

Permalink

> There is no reason that it would select an exit node from the same family all the time.

Could a malicious guard or bridge filter or degrade the available selections or randomness?

March 14, 2020

In reply to boklm

Permalink

Swedish

sysrqb

March 16, 2020

In reply to by noname (not verified)

Permalink

We don't usually update the translations in the stable Tor Browser because only one version of the strings is available for localization, so new strings and their localizations are included in the alpha versions. In some situations translations are updated in the stable Tor Browser, but this does not happen for every release.

March 16, 2020

Permalink

Hello, when does the android version of 9.0.6 get pushed to the google play store as it contains important fixes to firefox...

March 16, 2020

Permalink

It is a good and neccessary thing that TP continues to fix bugs and push development of Tor software, but we desperately need a plan to combat an existential political/legislative threat which appears intended to effectively make strong civilian cryptotography illegal:

eff.org
The EARN IT Bill Is the Government’s Plan to Scan Every Message Online
The Graham-Blumenthal bill is anti-speech, anti-security, and anti-innovation.
Joe Mullin
12 Mar 2020

> Imagine an Internet where the law required every message sent to be read by government-approved scanning software. Companies that handle such messages wouldn’t be allowed to securely encrypt them, or they’d lose legal protections that allow them to operate. That’s what the Senate Judiciary Committee has proposed and hopes to pass into law. The so-called EARN IT bill, sponsored by Senators Lindsay Graham (R-SC) and Richard Blumenthal (D-CT), will strip Section 230 protections away from any website that doesn’t follow a list of “best practices,” meaning those sites can be sued into bankruptcy. The “best practices” list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption, and guarantee law enforcement “legal access” to any digital message.

So what is our plan? Can TP leadership please explain what TP is doing to combat the EARN-IT bill, "Going Dark" FUD, and all that?

These legislative initiatives in the US Congress targeting encrypted services such as Tor are by quite some distance the most urgent existential threat facing the Tor community, and also the most urgent existential threat to all network security (including the security of the US power grid, US elections, US health providers, journalists, civil liberties and human rights NGOs, etc.)

If Tor users fail to make their concerns known, we could suddenly find ourselves in a situation where TP faces the choice of

  • shutting down
  • putting in a USG backdoor (or looking the other way while a backdoor is inserted "upstream" or "downstream" of Tor sofware, perhaps by crippling something in critical Tor nodes)

It is a good and neccessary thing that TP continues to fix bugs and push development of Tor software, but we desperately need a plan to combat an existential political/legislative threat which appears intended to effectively make strong civilian cryptotography illegal:

If Tor users fail to make their concerns known, we could suddenly find ourselves in a situation where TP faces the choice of

  • shutting down
  • putting in a USG backdoor (or looking the other way while a backdoor is inserted "upstream" or "downstream" of Tor sofware, perhaps by crippling something in critical Tor nodes)

This isn't a very good forum for discussing this topic (and this blog post isn't particularly relevant), however it is an important topic and it is something we are watching very closely. We are in contact with other civil society groups about this development, but we don't have any more information available than that. Obviously Tor cannot exist without strong cryptography (otherwise, what's the point?) and we will not produce or distribute software for which we know a backdoor exists within it. Please see the Support page, for reference: https://support.torproject.org/about/backdoor/

Of course we hope the situation won't come to making the decision of halting development of Tor and Tor Browser.

March 16, 2020

Permalink

when will you add a new bridge or ask another company to provide meek ,china nowday connunication(even the ones GFW doesn't ban are three cut one (because of the cov)),i have to use an VPN to connect to tor network. would you just provide obfs4a or sth like that

March 18, 2020

Permalink

Windows 8.1 32 bit - TBB 9.0.6 upgraded from previous version + All settings default.:
In 9.0.6 stopped usage of Youtube. I am opening tab with Youtube... waiting... and nothing happenns. In early versions all worked fine.

March 21, 2020

Permalink

this sh*t is fu*ked *p.
1. create account on reddit, log in, post, comment, whatever you like to do.
2. be done, log out (but dont close the reddit from where you logged out)
3. new tab > reddit = logged out
3.1 old tab (from where you supposedly were logged out and also not refreshed) allows to access account (so far i edited post successfully while "logged out")

3.2 reddit log out does not trigger page refresh on active page, but visiting this on separate page gives "not logged in" result.

4. in imagary world when someone logged in, posted, logged out, and then (without closing active tab) got caught, it might add significant amount of unwantedness.

and btw resurrect clear history in private mode pls

Does reddit behave that way in other browsers? If so, Tor Browser is not the problem, so tell reddit's developers.

Tor Browser enables Private Browsing by default. Since private mode does not save history, there is nothing to clear. As for disabling the lists of Recently Closed tabs and windows in the History menu that allow you to Undo closing, read here https://support.mozilla.org/en-US/questions/1238049

March 22, 2020

Permalink

is there any extension that adds vim controls to firefox that i can use with tor browser while being as anonymous as without it?

March 24, 2020

Permalink

I am new to this Tor Browser and all that and my first question is what is the difference between "Tor Browser Alpha" and "Tor Browser"?

The alpha is an experimental version for users who want to help us test new features. Most people should use the standard Tor Browser.

If your use of Tor Browser is not critical, and if you want to help us testing new features, or if you are curious about what is coming, you can use the alpha.

For an even more experimental version you can use the Nightly:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Ni…

March 24, 2020

Permalink

none

March 26, 2020

Permalink

Thank you for your big efforts to keep it safer. I know how difficult the task is, even more so when dealing with other people's add-ons. You are the true White Hat Heros. Government + Google et al + commercialized companies are the true hackers and thieves.

March 27, 2020

Permalink

HI, I just installed TOR browser, the moment i start tor browser it says " GAH, your tab crashed" i am unable to open any sites. can anyone please give a proper guide.

March 30, 2020

Permalink

After instalation I start TOR and I have this info on the screen:
~ Aplication dont start properly (0xc000007b) click ok to shut down aplication.
How fix this?
Good Day

April 13, 2020

Permalink

This bug was so predictable years ago (javascript not disabled by noscript or anything else, but about:config).