New Release: Tor Browser 9.0.6

Tor Browser 9.0.6 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 68.6.0esr and NoScript to 11.0.15.

Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this. If you require that javascript is blocked, then you may completely disable it by:

  • Open about:config
  • Search for: javascript.enabled
  • If the "Value" column says "false", then javascript is already disabled.
  • If the "Value" column says "true", then either right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

Update: Noscript 11.0.17 should solve this issue. Automatic updates of Noscript are enabled by default, so you should get this fix automatically.

Update 2: We received a report that the noscript update is not completely mitigating the issue. We are working on an update that will completely disable javascript using the javascript.enabled pref.

The full changelog since Tor Browser 9.0.5 is:

  • All Platforms
    • Update Firefox to 68.6.0esr
    • Bump NoScript to 11.0.15
      • Bug 33430: Disable downloadable fonts on Safest security level
  • Build System
    • Windows
      • Bug 33535: Patch openssl to use SOURCE_DATE_EPOCH for copyright year
Tags
tor browser
tbb
tbb-9.0
Anonymous

Felix (not verified) said:

March 12, 2020

Permalink

tor-browser-9.0.6-android-****-multi.apk
tor-browser-9.0.6-android-****-multi-qa.apk
How do the "qa" versions differ from the standard version?

Android uses apk signing for accomplishing (at least) two goals: 1) verify if the apk was modified after the developer published it, 2) ensure an apk that claims to be a newer version of an app you already installed is actually produced by the same developer (the person who controls the required cryptographic signing key).

To answer your question, the "multi-qa.apk" file is cryptographically signed using a key that is available to everyone (https://gitweb.torproject.org/builders/tor-browser-build.git/tree/proje…). The "-multi.apk" version is signed by a key only controlled by a few Tor Browser developers. Therefore, you should only install the "-multi.apk" version, unless you are not concerned with installing a modified/tampered/backdoored version of Tor Browser. (You can use the PGP signature separately to verify the authenticity of the multi-qa.apk file, but Android won't have any way of verifying the authenticity, so you must be extra careful in that case.)

You probably shouldn't install addons in the Tor Browser. It can make your browser fingerprint unique or at least less anonymous. That makes it easy to correlate all your activities.

This addon even seems to do dangerous stuff such as bypassing Tor to resolve DNS. That likely sends the names of all the websites you visit straight to your internet provider.

Configure FlagFox to make DNS requests through Tor instead of telling your ISP the sites you browse. Or find a different way to get FlagFox's features. Or don't use Tor Browser.

https://en.wikipedia.org/wiki/DNS_leak
https://support.torproject.org/tbb/tbb-14/
https://2019.www.torproject.org/projects/torbrowser/design/#proxy-obedi…
https://trac.torproject.org/projects/tor/wiki/WikiStart#DNSleakpreventi…

Why would anybody want to do local DNS requests when using TOR? If you are using clear DNS, well, then your ISP can see which websites you are visiting, as if you weren't using TOR at all. And if you are using DNS over HTTPS, then one who manages the DNS server can track you, again, as if you weren't using TOR at all.

You shouldn't use other extensions with the TOR Browser, especially ones that send requests, and privacy tools. Just don't use FlagFox, you give up your anonymity that way since it connects to a service with each website you visit to determine the location, which essentially gives the service access to every site you visit which ruins the purpose of using TOR in the first place.

Anonymous

Anonymous (not verified) said:

March 12, 2020

Permalink

Is there any more information regarding the javascript bug?

Anonymous

Anonymous (not verified) said:

March 12, 2020

Permalink

The "about tor browser" dialog reports that it's up to date, but displays "9.0.5" as the version (68.5.0esr, 64-bit) both on Windows and Linux.

Anonymous

about (not verified) said:

March 13, 2020

Permalink

How can i get "Updates disabled by your system administrator"(about:preferences#general) reliable in the Tor Browser like in Firefox?

Exact working definite instruction to SWITCH OFF Automatic Updates -for TBB there seems to be only babble.
With Enterprise Policies -the only way for- in Firefox i can switch off Updates. FF notes "Your browser is being managed by your organization" and "Updates disabled by your system administrator" and no Hostname/notice in about:networking about the updateserver address.
In TBB Enterprise policies aren't working and browser.policies.testing.disallowEnterprise, app.update.disabledForTesting has no function? How can i switch off all automatic updates in TBB?

Anonymous

Anonymous (not verified) said:

March 13, 2020

Permalink

Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this.

Ticket?

Anonymous

/dev/null (not verified) said:

March 13, 2020

Permalink

Upon opening the TBB (Linux) prior to the 9.0.6 update, it did not inform me that there was an update to 9.0.6, or any update at all, it just simply refused to load any page. It was only when I tried Help/About that it said I needed to restart for the update to install. Had I not thought to check Help/About just for the hell of it, I'd still be sitting here with the older version and sites which wouldn't load.

Please address this. Thank you.

Anonymous

proud owner of… (not verified) said:

March 13, 2020

Permalink

my pet goose has been talking about this update all day! honk honk honk and that's the truth!