New Release: Tor Browser 9.0.7

Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Tor.

This release updates Tor to 0.4.2.7 and NoScript to 11.0.19.

In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:

  • Open about:config
  • Search for: javascript.enabled
  • The "Value" column should show "false"
  • Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

In addition, HTTPS-Everywhere version 2020.3.16 supports a new mode of operation named EASE (Encrypt All Sites Eligible). Tor Browser users should not enable this feature. This new mode allows for adding per-site exceptions (whitelisting), however adding per-site exceptions may increase a user's uniqueness while using Tor Browser. When EASE mode is enabled, the whitelisting feature does not always work correctly, as well. We decided against downgrading the included https-everywhere version.

The full changelog since Tor Browser 9.0.6 is:

  • All Platforms
    • Bump NoScript to 11.0.19
    • Bump Https-Everywhere to 2020.3.16
    • Bug 33613: Disable Javascript on Safest security level
  • Windows + OS X + Linux
    • Bump Tor to 0.4.2.7

 

Update 2020-03-25: Added Https-Everywhere upgrade in ChangeLog and message about EASE mode.

Anonymous

March 25, 2020

Permalink

There is a HUGE problem with Tor on Android.
If somebody has changed cookies or DNT settings and after shut down the browser, the next time opening the browser, even settings apear to be fine, the fact is that the have been changed as they were before before they got changed!

However if you change them after the browser starts there is no problem.
The same goes each time you shut down and start Tor.

I apologize for my terrible English...

Even if accidenticaly someone change these settings and then set their values to the default ones, the values are gonna be those he had seted at first, the dangerous ones as you have said.

If I have first installed tor browser in a previous version should the signature after 9.0.7 update be the 9.0.7 apk signature or the signature of the version I have first downloaded?
Why do every version has a different signature?
I am talking about SHA-256 signature.

Have you got the Signatures?
You have uploaded a link with SHA-256 Checksums.
I only can verify SHA-256 Signatures.
In my apk SHA-256 signature appears to be 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8

Signature Type: SHA256withRSA

Key Type: RSA 4096bit

App used: Checkey (Guardian Project)

Anonymous

March 25, 2020

Permalink

noscript, https-everywhere where not updated maybe because they are set to off for automatic updates, though thought this was recommended. About time you ditched them and integrated the functions.

That is not good. Extensions are known vectors, my research shows these in particular have had issues. Look at all the dates on these bugs with no fixes. This is not good either. Most extension vulnerabilities can be prevented by disabling any connection function or blocking their connections entirely. For example https-everywhere even has its own internal self-update function, though this fortunately appears to be disabled in preferences, though not disabled/removed entirely, as it really should be.

No, disabling extension updates does not prevent vulnerabilities. The vulnerabilities in the extensions are the same whether or not we enabled extension updates. The only thing that is changing is how users are getting the fixes. In the past, extension updates have been used to fix vulnerabilities (mainly to noscript). This is the reason why we kept extension updates enabled. Making a new Tor Browser release involves a lot of work, so having the option to fix an issue with a noscript updates saves us a lot of time. However it is also better if users don't have to trust updates from multiple sources, which is why we are considering disabling updates for the the extensions we ship.

Contradiction? You ignored what I said, or I was not clear enough. So you verify every automatic update? Seems like it would be less work and safer to integrate the functions. Disabling and removing extensions does prevent vulnerabilities, by your own advice of not installing them. My main point here is having internal extension connection functions that can update themselves internally even though they are disabled by default is poor practice. There is even a big warning message in https-everywhere. What more do you need? I appreciate it takes a lot of effort, though recently you had a big bug raising fund. Thought you stated it was great and would be used to fix bugs. If there is a lack of developers and support then that is a great shame. Lives depend on Tor as you no doubt know. I am grateful for your efforts regardless.

Anonymous

March 25, 2020

Permalink

Often pages are endlessly loading, so clicking New Tor Circuit, but this fails due to the page still trying to load and just gives a blank page, resulting in having to wait a long time for it to fail before you can choose a new circuit.

All and any websites, it's a general problem.. Endless loading.. try to get a new circuit.. blank page.. have to wait for failed loading until able to choose a new circuit to avoid getting just a blank page.

You mean they timeout and stop, not that they refresh on their own like this blog. Do any sites load successfully?

You can stop loading by pressing the Escape key or by opening the right-click menu on the page and clicking the X or by dragging the Reload button to your toolbar (Customize) that will turn into an X as pages are loading.

The sites could be blocking Tor. Even if a site is not blocking Tor, some sites need JavaScript or features that are less private, and some sites load faster if those features are disabled. You can try one of the other security levels in the shield icon, and then load the site. Sites ending in .onion are slower in general, and smaller onion sites are down more often. It could be that the sites you are trying do not exist anymore.

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_erro…

Yes they timeout and stop, failing to load.. It can happen on any page.. Yes they load successfully but only after they can timeout and a new circuit can be chosen.. If a new circuit is chosen before the timeout then it results in a blank page.

Yes, but UA header and navigator.userAgent still return real platform.

Tor Browser:
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Firefox on Windows 10 x64:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Anonymous

March 26, 2020

Permalink

Disqus functionality still completely broken. Any sites using disqus are unusable regardless of settings.

Anonymous

March 26, 2020

Permalink

Disqus functionality is still completely borked, rendering any site using Disqus (which is a lot) useless. Setting security and java-script to minimum and allowing everything and still no workie. Something is fundamentally broken as far as Disqus...

I went to the DuckDuckGo onion website. I was on the safest level. It popped up a cross site scripting popup and then I blocked all XSS from that site. Now when I try to go to the Duck Duck Go onion URL the browser does not load it. However when I go to search the Clearnet Duck DuckGo url I can find pages that link to the DUCKDuckGo Onion url and when I follow the links it goes there and works. But no matter how many times I try to load the url from my bookmarks it does not work.

Step by step, verify your bookmark. Then, from where was the XSS being loaded? Was it duckduckgo.com or duck.co, or was it someplace else? If it's still suspicious, scan your computer for viruses and/or reinstall Tor Browser. Contact DuckDuckGo support.

It is not a good idea to download/update Tor from playstore.
Google may even try to modify the app and add NSA backdoors. It is well know that they are cooperating for many years with NSA and other intelligence agencies.
Just use this website or fdroid..
And if you want to be sure check the pgp and sha signatures of the apk you have downloaded to be sure it is not modified...

Anonymous

March 27, 2020

Permalink

There are tab crash vulnerabilities that will cause all extensions to be disabled.

Did you not see my reply saying it causes extensions to become functionally disabled? Their menus still open but they are mostly blank, all their internal javascript for websites appears to stop working. It appears the javascript engine crashes or something.. So I would recommend embedding the functions in the browser so this would not happen. I'm not going to try to tell you how to crash tabs, thought this was your area of expertise. Think I already said enough that shows the problem. Surely you know how to perform javascript / memory buffer overloads. If you ask short questions, expect short answers. It's as if you don't use the browser yourself or something!

Anonymous

March 27, 2020

Permalink

The lack of professionalism here is at best embarrassing and at worst scary. At a time of global emergency it is saddening that this supposed security project is greatly lacking. You speak of the importance of security and yet you don't even bother to fix your own website or clear vulnerabilities. Perhaps this project should come with a health warning of its own!

Yes I have posted them here but not being taken seriously. The bug tracker appears to have many similar bugs that aren't being fixed in many years! I am beginning to lose trust here.