New Release: Tor Browser 9.0.6

Tor Browser 9.0.6 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 68.6.0esr and NoScript to 11.0.15.

Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this. If you require that javascript is blocked, then you may completely disable it by:

  • Open about:config
  • Search for: javascript.enabled
  • If the "Value" column says "false", then javascript is already disabled.
  • If the "Value" column says "true", then either right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

Update: Noscript 11.0.17 should solve this issue. Automatic updates of Noscript are enabled by default, so you should get this fix automatically.

Update 2: We received a report that the noscript update is not completely mitigating the issue. We are working on an update that will completely disable javascript using the javascript.enabled pref.

The full changelog since Tor Browser 9.0.5 is:

  • All Platforms
    • Update Firefox to 68.6.0esr
    • Bump NoScript to 11.0.15
      • Bug 33430: Disable downloadable fonts on Safest security level
  • Build System
    • Windows
      • Bug 33535: Patch openssl to use SOURCE_DATE_EPOCH for copyright year
Anonymous

March 13, 2020

Permalink

In your instructions to disable javascript, you should mention that false will deviate from the fingerprint camouflage if you're in Safer and Standard modes. It's intended to be done in Safest mode. Toggle it back to true (default, not bold) after the patch is released for it.

Anonymous

March 13, 2020

Permalink

> Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this.

Does this explain why my Tor circuits appear to always use the same family of exit nodes? :-(

Thanks for the reply, but can you say anything at all about what might lie behind the experience I reported?

I should have mentioned that I use Tails booted from a live DVD (verified the ISO before burning). Fortunately, just as Tails 4.4 was published and I (immediately) started using it, the misbehaving large family of fast exit nodes seems to have largely vanished. I'd like to know whether it was caught spying and kicked off the Tor network by TP, or if there is some other explanation.

If TP had anything to do with getting that family out of (almost all) of my circuits, thanks much, because something was obviously very wrong.

Tails 4.4 with security slider on "most secure" may not entirely block Noscript? Could the same issue with Tails 4.3 help explain what I saw? If so, continued monitoring of the suspect family will be needed, assuming it has not been banned.

Could this have been the latest Carnegie-Mellon SEI attack on the Tor network?

The exit node is selected by the client, randomly. There is no reason that it would select an exit node from the same family all the time. And whether or not javascript is allowed to run in the browser does not affect at all the selection of exit nodes.

We don't usually update the translations in the stable Tor Browser because only one version of the strings is available for localization, so new strings and their localizations are included in the alpha versions. In some situations translations are updated in the stable Tor Browser, but this does not happen for every release.

Anonymous

March 16, 2020

Permalink

Hello, when does the android version of 9.0.6 get pushed to the google play store as it contains important fixes to firefox...

Anonymous

March 16, 2020

Permalink

It is a good and neccessary thing that TP continues to fix bugs and push development of Tor software, but we desperately need a plan to combat an existential political/legislative threat which appears intended to effectively make strong civilian cryptotography illegal:

eff.org
The EARN IT Bill Is the Government’s Plan to Scan Every Message Online
The Graham-Blumenthal bill is anti-speech, anti-security, and anti-innovation.
Joe Mullin
12 Mar 2020

> Imagine an Internet where the law required every message sent to be read by government-approved scanning software. Companies that handle such messages wouldn’t be allowed to securely encrypt them, or they’d lose legal protections that allow them to operate. That’s what the Senate Judiciary Committee has proposed and hopes to pass into law. The so-called EARN IT bill, sponsored by Senators Lindsay Graham (R-SC) and Richard Blumenthal (D-CT), will strip Section 230 protections away from any website that doesn’t follow a list of “best practices,” meaning those sites can be sued into bankruptcy. The “best practices” list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption, and guarantee law enforcement “legal access” to any digital message.

So what is our plan? Can TP leadership please explain what TP is doing to combat the EARN-IT bill, "Going Dark" FUD, and all that?

These legislative initiatives in the US Congress targeting encrypted services such as Tor are by quite some distance the most urgent existential threat facing the Tor community, and also the most urgent existential threat to all network security (including the security of the US power grid, US elections, US health providers, journalists, civil liberties and human rights NGOs, etc.)

If Tor users fail to make their concerns known, we could suddenly find ourselves in a situation where TP faces the choice of

  • shutting down
  • putting in a USG backdoor (or looking the other way while a backdoor is inserted "upstream" or "downstream" of Tor sofware, perhaps by crippling something in critical Tor nodes)

It is a good and neccessary thing that TP continues to fix bugs and push development of Tor software, but we desperately need a plan to combat an existential political/legislative threat which appears intended to effectively make strong civilian cryptotography illegal:

If Tor users fail to make their concerns known, we could suddenly find ourselves in a situation where TP faces the choice of

  • shutting down
  • putting in a USG backdoor (or looking the other way while a backdoor is inserted "upstream" or "downstream" of Tor sofware, perhaps by crippling something in critical Tor nodes)

This isn't a very good forum for discussing this topic (and this blog post isn't particularly relevant), however it is an important topic and it is something we are watching very closely. We are in contact with other civil society groups about this development, but we don't have any more information available than that. Obviously Tor cannot exist without strong cryptography (otherwise, what's the point?) and we will not produce or distribute software for which we know a backdoor exists within it. Please see the Support page, for reference: https://support.torproject.org/about/backdoor/

Of course we hope the situation won't come to making the decision of halting development of Tor and Tor Browser.

Anonymous

March 16, 2020

Permalink

when will you add a new bridge or ask another company to provide meek ,china nowday connunication(even the ones GFW doesn't ban are three cut one (because of the cov)),i have to use an VPN to connect to tor network. would you just provide obfs4a or sth like that

Anonymous

March 18, 2020

Permalink

Windows 8.1 32 bit - TBB 9.0.6 upgraded from previous version + All settings default.:
In 9.0.6 stopped usage of Youtube. I am opening tab with Youtube... waiting... and nothing happenns. In early versions all worked fine.

Anonymous

March 21, 2020

Permalink

this sh*t is fu*ked *p.
1. create account on reddit, log in, post, comment, whatever you like to do.
2. be done, log out (but dont close the reddit from where you logged out)
3. new tab > reddit = logged out
3.1 old tab (from where you supposedly were logged out and also not refreshed) allows to access account (so far i edited post successfully while "logged out")

3.2 reddit log out does not trigger page refresh on active page, but visiting this on separate page gives "not logged in" result.

4. in imagary world when someone logged in, posted, logged out, and then (without closing active tab) got caught, it might add significant amount of unwantedness.

and btw resurrect clear history in private mode pls

Does reddit behave that way in other browsers? If so, Tor Browser is not the problem, so tell reddit's developers.

Tor Browser enables Private Browsing by default. Since private mode does not save history, there is nothing to clear. As for disabling the lists of Recently Closed tabs and windows in the History menu that allow you to Undo closing, read here https://support.mozilla.org/en-US/questions/1238049

Anonymous

March 22, 2020

Permalink

is there any extension that adds vim controls to firefox that i can use with tor browser while being as anonymous as without it?

Anonymous

March 24, 2020

Permalink

I am new to this Tor Browser and all that and my first question is what is the difference between "Tor Browser Alpha" and "Tor Browser"?

The alpha is an experimental version for users who want to help us test new features. Most people should use the standard Tor Browser.

If your use of Tor Browser is not critical, and if you want to help us testing new features, or if you are curious about what is coming, you can use the alpha.

For an even more experimental version you can use the Nightly:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Ni…

Anonymous

March 24, 2020

Permalink

none

Anonymous

March 26, 2020

Permalink

Thank you for your big efforts to keep it safer. I know how difficult the task is, even more so when dealing with other people's add-ons. You are the true White Hat Heros. Government + Google et al + commercialized companies are the true hackers and thieves.

Anonymous

March 27, 2020

Permalink

HI, I just installed TOR browser, the moment i start tor browser it says " GAH, your tab crashed" i am unable to open any sites. can anyone please give a proper guide.

Anonymous

March 30, 2020

Permalink

After instalation I start TOR and I have this info on the screen:
~ Aplication dont start properly (0xc000007b) click ok to shut down aplication.
How fix this?
Good Day

Anonymous

April 13, 2020

Permalink

This bug was so predictable years ago (javascript not disabled by noscript or anything else, but about:config).