New Release: Tor Browser 9.0

Update [7:30 UTC]: Clarified the amount of locales we support. It's 32 with Tor Browser 9.0.

Update [10:45 UTC]: Added a section about letterboxing.

Tor Browser 9.0 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 9.0 is the first stable release based on Firefox 68 ESR and contains a number of updates to other components as well (including Tor to 0.4.1.6 and OpenSSL to 1.1.1d for desktop versions and Tor to 0.4.1.5 for Android).

In addition to all the needed patch rebasing and toolchain updates, we made big improvements to make Tor Browser work better for you.

We want everyone in the world to be able to enjoy the privacy and freedom online Tor provides, and that's why over the past couple years, we've been working hard to boost our UX and localization efforts, with the biggest gains first visible in Tor Browser 8.0.

In Tor Browser 9.0, we continue to build upon those efforts with sleeker integration and additional localization support.

Goodbye, Onion Button

We want your experience using Tor to be fully integrated within the browser so how you use Tor is more intuitive. That's why now, rather than using the onion button that was in the toolbar, you can see your path through the Tor network and request a New Circuit through the Tor network in [i] on the URL bar.

Tor Browser - circuit display - dark theme

 

Hello, New Identity Button

Tor Browser - Toolbar - New Identity Button

Instead of going into the onion button to request a New Identity, we've made this important feature easier to access by giving it its own button in the toolbar.

Tor Browser - New Identity

You can also request a New Identity, and a New Circuit, from within the [=] menu on the toolbar.

Torbutton and Tor Launcher Integration

Now that both extensions are tightly integrated into Tor Browser, they'll no longer be found on the about:addons page.

Tor Browser - about preferences

We redesigned the bridge and proxy configuration dialogs and include them directly into the browser's preference settings as well.

Rather than being a submenu behind the onion button, Tor Network Settings, including the ability to fetch bridges to bypass censorship where Tor is blocked, are easier to access on about:preferences#tor.

Letterboxing

Tor Browser, in its default mode, is starting with a content window rounded to a multiple of 200px x 100px to prevent fingerprinting the screen dimensions. The strategy here is to put all users in a couple of buckets to make it harder to single them out. That worked until users started to resize their windows (e.g. by maximizing them or going into fullscreen mode). Tor Browser 9 ships with a fingerprinting defense for those scenarios as well, which is called Letterboxing, a technique developed by Mozilla and presented earlier this year. It works by adding white margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.

Better Localization Support

If we want all people around the world to be able to use our software, then we need to make sure it's speaking their language. Since 8.0, Tor Browser has been available in 25 languages, and we added 5 locales more in Tor Browser 8.5. Today, we add support for two additional languages: Macedonian (mk) and Romanian (ro), bringing the number of supported languages to 32.

We also fixed bugs in our previously shipped localized bundles (such as ar and ko).

Many thanks to everyone who helped with these, in particular to our translators.

Known Issue

As usual when preparing Tor Browser releases, we verified that the build is bit-for-bit reproducible. While we managed to get two matching builds, we found that in some occasions the builds differ (we found this happening on the Linux i686 and macOS bundles). We are still investigating the cause of this issue to fix it.

Give Feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know. Thanks to all of the teams across Tor, and the many volunteers, who contributed to this release.

Changelog

The full changelog since Tor Browser 8.5.6 is:

  • All Platforms
    • Update Firefox to 68.2.0esr
    • Bug 31740: Remove some unnecessary RemoteSettings instances
    • Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
    • Bug 28196: about:preferences is not properly translated anymore
    • Bug 19417: Disable asmjs on safer and safest security levels
    • Bug 30463: Explicitly disable MOZ_TELEMETRY_REPORTING
    • Bug 31935: Disable profile downgrade protection
    • Bug 16285: Disable DRM/EME on Android and drop Adobe CDM
    • Bug 31602: Remove Pocket indicators in UI and disable it
    • Bug 31914: Fix eslint linter error
    • Bug 30429: Rebase patches for Firefox 68 ESR
    • Bug 31144: Review network code changes for Firefox 68 ESR
    • Bug 10760: Integrate Torbutton into Tor Browser directly
    • Bug 25856: Remove XUL overlays from Torbutton
    • Bug 31322: Fix about:tor assertion failure debug builds
    • Bug 29430: Add support for meek_lite bridges to bridgeParser
    • Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
    • Bug 30683: Prevent detection of locale via some *.properties
    • Bug 31298: Backport patch for #24056
    • Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
    • Bug 27601: Browser notifications are not working anymore
    • Bug 30845: Make sure internal extensions are enabled
    • Bug 28896: Enable extensions in private browsing by default
    • Bug 31563: Reload search extensions if extensions.enabledScopes has changed
    • Bug 31396: Fix communication with NoScript for security settings
    • Bug 31142: Fix crash of tab and messing with about:newtab
    • Bug 29049: Backport JS Poison Patch
    • Bug 25214: Canvas data extraction on local pdf file should be allowed
    • Bug 30657: Locale is leaked via title of link tag on non-html page
    • Bug 31015: Disabling SVG hides UI icons in extensions
    • Bug 30681: Set security.enterprise_roots.enabled to false
    • Bug 30538: Unable to comment on The Independent Newspaper
    • Bug 31209: View PDF in Tor Browser is fuzzy
    • Translations update
  • Windows + OS X + Linux
    • Update Tor to 0.4.1.6
    • Update OpenSSL to 1.1.1d
      • Bug 31844: OpenSSL 1.1.1d fails to compile for some platforms/architectures
    • Update Tor Launcher to 0.2.20.1
      • Bug 28044: Integrate Tor Launcher into tor-browser
      • Bug 32154: Custom bridge field only allows one line of input
      • Bug 31286: New strings for about:preferences#tor
      • Bug 31303: Do not launch tor in browser toolbox
      • Bug 32112: Fix bad & escaping in translations
      • Bug 31491: Clean up the old meek http helper browser profiles
      • Bug 29197: Remove use of overlays
      • Bug 31300: Modify Tor Launcher so it is compatible with ESR68
      • Bug 31487: Modify moat client code so it is compatible with ESR68
      • Bug 31488: Moat: support a comma-separated list of transports
      • Bug 30468: Add mk locale
      • Bug 30469: Add ro locale
      • Bug 30319: Remove FTE bits
      • Translations update
    • Bug 32092: Fix Tor Browser Support link in preferences
    • Bug 32111: Fixed issue parsing user-provided bridge strings
    • Bug 31749: Fix security level panel spawning events
    • Bug 31920: Fix Security Level panel when its toolbar button moves to overflow
    • Bug 31748+31961: Fix 'Learn More' links in Security Level preferences and panel
    • Bug 28044: Integrate Tor Launcher into tor-browser
    • Bug 31059: Enable Letterboxing
    • Bug 30468: Add mk locale
    • Bug 30469: Add ro locale
    • Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
    • Bug 31251: Security Level button UI polish
    • Bug 31344: Register SecurityLevelPreference's 'unload' callback
    • Bug 31286: Provide network settings on about:preferences#tor
    • Bug 31886: Fix ko bundle bustage
    • Bug 31768: Update onboarding for Tor Browser 9
    • Bug 27511: Add new identity button to toolbar
    • Bug 31778: Support dark-theme for the Circuit Display UI
    • Bug 31910: Replace meek_lite with meek in circuit display
    • Bug 30504: Deal with New Identity related browser console errors
    • Bug 31929: Don't escape DTD entity in ar
    • Bug 31747: Some onboarding UI is always shown in English
    • Bug 32041: Replace = with real hamburguer icon ≡
    • Bug 30304: Browser locale can be obtained via DTD strings
    • Bug 31065: Set network.proxy.allow_hijacking_localhost to true
    • Bug 24653: Merge securityLevel.properties into torbutton.dtd
    • Bug 31164: Set up default bridge at Karlstad University
    • Bug 15563: Disable ServiceWorkers on all platforms
    • Bug 31598: Disable warning on window resize if letterboxing is enabled
    • Bug 31562: Fix circuit display for error pages
    • Bug 31575: Firefox is phoning home during start-up
    • Bug 31491: Clean up the old meek http helper browser profiles
    • Bug 26345: Hide tracking protection UI
    • Bug 31601: Disable recommended extensions again
    • Bug 30662: Don't show Firefox Home when opening new tabs
    • Bug 31457: Disable per-installation profiles
    • Bug 28822: Re-implement desktop onboarding for ESR 68
  • Windows
    • Bug 31942: Re-enable signature check for language packs
    • Bug 29013: Enable stack protection for Firefox on Windows
    • Bug 30800: ftp:// on Windows can be used to leak the system time zone
    • Bug 31547: Back out patch for Mozilla's bug 1574980
    • Bug 31141: Fix typo in font.system.whitelist
    • Bug 30319: Remove FTE bits
  • OS X
    • Bug 30126: Make Tor Browser compatible with macOS 10.15
    • Bug 31607: App menu items stop working on macOS
    • Bug 31955: On macOS avoid throwing inside nonBrowserWindowStartup()
    • Bug 29818: Adapt #13379 patch for 68esr
    • Bug 31464: Meek and moat are broken on macOS 10.9 with Go 1.12
  • Linux
    • Bug 31942: Re-enable signature check for language packs
    • Bug 31646: Update abicheck to require newer libstdc++.so.6
    • Bug 31968: Don't fail if /proc/cpuinfo is not readable
    • Bug 24755: Stop using a heredoc in start-tor-browser
    • Bug 31550: Put curly quotes inside single quotes
    • Bug 31394: Replace "-1" with "−1" in start-tor-browser.desktop
    • Bug 30319: Remove FTE bits
  • Android
    • Update Tor to 0.4.1.5
    • Bug 31010: Rebase mobile patches for Fennec 68
    • Bug 31010: Don't use addTrustedTab() on mobile
    • Bug 30607: Support Tor Browser running on Android Q
    • Bug 31192: Support x86_64 target on Android
    • Bug 30380: Cancel dormant by startup
    • Bug 30943: Show version number on mobile
    • Bug 31720: Enable website suggestions in address bar
    • Bug 31822: Security slider is not really visible on Android anymore
    • Bug 24920: Only create Private tabs in permanent Private Browsing Mode
    • Bug 31730: Revert aarch64-workaround against JIT-related crashes
    • Bug 32097: Fix conflicts in mobile onboarding while rebasing to 68.2.0esr
  • Build System
    • All Platforms
      • Bug 30585: Provide standalone clang 8 project across all platforms
      • Bug 30376: Use Rust 1.34 for Tor Browser 9
      • Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
      • Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
        • Bug 31621: Fix node bug that makes large writes to stdout fail
      • Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
      • Bug 31293: Make sure the lo interface inside the containers is up
      • Bug 27493: Clean up mozconfig options
      • Bug 31308: Sync mozconfig files used in tor-browser over to tor-browser-build for esr68
    • Windows
      • Bug 29307: Use Stretch for cross-compiling for Windows
      • Bug 29731: Remove faketime for Windows builds
      • Bug 30322: Windows toolchain update for Firefox 68 ESR
        • Bug 28716: Create mingw-w64-clang toolchain
        • Bug 28238: Adapt firefox and fxc2 projects for Windows builds
        • Bug 28716: Optionally omit timestamp in PE header
        • Bug 31567: NS_tsnprintf() does not handle %s correctly on Windows
        • Bug 31458: Revert patch for #27503 and bump mingw-w64 revision used
      • Bug 9898: Provide clean fix for strcmpi issue in NSPR
      • Bug 29013: Enable stack protection support for Firefox on Windows
      • Bug 30384: Use 64bit containers to build 32bit Windows Tor Browser
      • Bug 31538: Windows bundles based on ESR 68 are not built reproducibly
      • Bug 31584: Clean up mingw-w64 project
      • Bug 31596: Bump mingw-w64 version to pick up fix for #31567
      • Bug 29187: Bump NSIS version to 3.04
      • Bug 31732: Windows nightly builds are busted due to mingw-w64 commit bump
      • Bug 29319: Remove FTE support for Windows
    • OS X
      • Bug 30323: MacOS toolchain update for Firefox 68 ESR
      • Bug 31467: Switch to clang for cctools project
      • Bug 31465: Adapt tor-browser-build projects for macOS notarization
    • Linux
      • Bug 31448: gold and lld break linking 32bit Linux bundles
      • Bug 31618: Linux32 builds of Tor Browser 9.0a6 are not matching
      • Bug 31450: Still use GCC for our ASan builds
      • Bug 30321: Linux toolchain update for Firefox ESR 68
        • Bug 30736: Install yasm from wheezy-backports
        • Bug 31447: Don't install Python just for Mach
      • Bug 30448: Strip Browser/gtk2/libmozgtk.so
    • Android
      • Bug 30324: Android toolchain update for Fennec 68
        • Bug 31173: Update android-toolchain project to match Firefox
        • Bug 31389: Update Android Firefox to build with Clang
        • Bug 31388: Update Rust project for Android
        • Bug 30665: Get Firefox 68 ESR working with latest android toolchain
        • Bug 30460: Update TOPL project to use Firefox 68 toolchain
        • Bug 30461: Update tor-android-service project to use Firefox 68 toolchain
      • Bug 28753: Use Gradle with --offline when building the browser part
      • Bug 31564: Make Android bundles based on ESR 68 reproducible
      • Bug 31981: Remove require-api.patch
      • Bug 31979: TOPL: Sort dependency list
      • Bug 30665: Remove unnecessary build patches for Firefox

"Great" as in feeding the exact URLs you're currently browsing to a third party with a business model of surveillance capitalism which is literally what it's doing and not telling you up front? No thanks!

Anonymous

October 23, 2019

Permalink

new update has a strange border around all web pages. Anyway I can revert back to the previous version?

Anonymous

October 23, 2019

Permalink

Thank you Tor Project!

Am I no longer able to browse my LAN by excluding its IPv4 (CIDR form) from SOCKS requests?

How can I get back to surfing my LAN?

Anonymous

October 23, 2019

Permalink

Hello, since the update to version 9. 0 I have 403 forbidden errors.
Despite the addition of a rule in about/config or either the addition of a user-agent extension, nothing is done.
The same error occurs in version 9. 5a1.
Could you investigate, thank you in advance.

Best regards,

TorTue

I just encountered a "Bad Gateway" error when I tried to reload a page at another site. The notice gave an IPv6 address, which I do not know how to parse. Should the address stated in the notice correspond to a Tor exit node at the time of the incident? How can I check?

I can understand some of the logic behind letterboxing as it's being used here. Making me scroll up and down, I'm used to that in order to see a long document.

But what is tragic on the UX front is hiding words on horizontal, so I have to scroll a little bit left and a little bit right just to see the content inside the letter box.

Is this the new default? Can't the width also be letterboxed, but not force me to scroll left and right just to read?

How snapping the width of the window such the inner letterbox never needs to act as a frame that masks the content?

> Can't the width also be letterboxed, but not force me to scroll left and right?

The width *is* letterboxed. You're describing a webpage that has not been coded with "responsive design" principles or was broken somehow. The formatting of the comments you're reading here on this blog, for example, is broken and ugly at the moment because of a security update to Drupal. Other times, raising Tor Browser's security level breaks some site's formatting because those sites depend on JavaScript or other technologies that allow invasive features, and TBB's higher security levels block those. Some sites contain HTML tables that restrict content to static widths that don't collapse gracefully when you decrease the browser's (any browser's) window width. Your issue exists in various forms across all browsers. In most cases, it's the fault of whoever designed the web page.

Every previous version worked (on Win 7 64bit), but this one immediately pops up api-ms-win-crt-runtime-l1-1-0.dll is missing on launch.

You need to update your Windows to get missing updates. In one of those the missing .dll got shipped.

No snowflake on Windows?

No snowflake at all in 9.0. It's still not reliable enough for stable usage. However, if you test current alpha releases you get snowflake for Windows, macOS, and Linux.

"Prevent accessibility services from accessing your browser" should = true
https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019…

How would users that need to have accessibility tools enabled to navigate the browser set them back to enabled?

Installer option or ask at first start?

Is it possible to automatically deny "Extract canvas data"? Thank you for you work.

Not yet but we have https://trac.torproject.org/projects/tor/ticket/23227 for that. If you could help with this ticket, please do!

api-ms-win-crt-runtime-l1-1-0.dll is missing, so it won't start. This is part of visual C++ library, an optional OS addition. Why would tor assume everybody opted to have it installed? Tor didn't need it before, nor does Firefox require it. It just seems like an odd choice for a stand-alone security program that people often need to run from various PCs (e.g. library PCs) to call upon a dependency that wasn't included by default and many opted to not install.

You need to update your Windows to have the latest security updates. The .dll missing got shipped a while back with one of such updates. I think an up-to-date operating system is not an unreasonable assumption to have and build software upon.

I think it is unreasonable. Not everybody applies every update, such as public libraries, work computers etc. And even if they do, they often block them. If all applications they use (and want to run) work, why would they update the C++ library to accommodate 3rd party apps they don't even want to run on their computers? Loads of computers will never have the optional C++ libraries referenced by tor. Why needlessly limit tor to a subset of computers by referencing optional external libraries?

How do they keep their computers secure if not even applying updates?

I have to agree with gk here. IMO, if your workplace, your library, your friends, etc, are not keeping software up to date, you need to complain to them, not to Tor Project.

Rule one of cyberprivacy: keep your system secure.

Rule one of cybersecurity: keep your system up to date.

Keeping a system up to date IS NOT the same as applying all updates and keeping them all enabled. Secure up to date machines commonly don't opt to have the visual C++ libraries enabled because doing so doesn't provide any additional security while allowing for more 3rd party apps, including malicious apps, to run and have easier access to the system, which also allows more buggy amateur programs to run and do unintentional damage. In short, an up to date machine with C++ disabled is far more secure.

THEY ARE APPLYING UPDATES! There's a HUGE difference between keeping systems updated and opting in, or leaving enabled, EVERY UPDATE. How is this confusing you?

Their systems are up to date. They just don't have any Visual C++ redistributes, including other non-essential components. Having them enabled doesn't make your system any more secure. In fact, visual C++ only serves to compromise your system by exposing it to a much larger number of apps written by lazy, malicious or inexperienced programmers.

> How is this confusing you?

Assuming you are addressing me (not a TP coder) rather than gk, could this be a Window vs Linux thing? I use Debian so I might misunderstand how Windows or Mac users upgrade their systems.

Firefox does require it and bundle it. You can easily copy it from Firefox if you want to run Tor Browser on machines not intended for that.

> You can easily copy [the dll] from Firefox

Oh? Users on older systems would really like to know that and how.

"older systems"? Do you mean "outdated"?
Easier: open folder with firefox.exe and copy all non-existent-in-tor-browser files to Tor Browser folder with firefox.exe.

Yes, outdated. A couple comments sounded like they are on Vista or XP. I hope not. Your instructions are a joke. This thread is about the .dll. "Copy all different" from Mozilla mainline folder into Tor ESR folder has high probability of causing errors rather than fixing.

It's good TBB is using new features Mozilla is offering.
BUT, the vanilla Firefox is going more and more the bugging me way.

Example: TBB 9.0 sets extensions.webextensions.ExtensionStorageIDB.enabled;false. Good.
FirefoxESR vanilla extensions.webextensions.ExtensionStorageIDB.enabled is true.
With extensions.webextensions.ExtensionStorageIDB.enabled:true the
privacy affined user cannot easily delete the storage-dir without ....annoying side effects because,
suddenly, the storage dir is the new browser-extension-data dir. What The Fuck is going on?
Why Mozilla is doing this?

Can you - or mozilla(-: - bring back "Choose what you see when you open your homepage"(Home button) in 'Options', working like before?
Easy with TBB8.5.5, lilbit tricky with 9.0(not without about:config) -no editing without custom in ALL windows/tabs.

All facebook's videos (facebookcorewwwi.onion) will not play. I'm using OS X 10.9.5. After downgrading to 8.5.5, all is well again.

Do you have an example video that I could check out to reproduce this problem (without Facebook account accessible)?

context menu behaves different. it is this option > ui.context_menus.after_mouseup;true

The user interface is a bit slicker, with new identity possible with just one mouse click. :-)
Is it possible to globally block canvas data extraction, or have that ability added in future versions?
It's annoying to have to block canvas extraction for every second website I visit.

> new identity possible with just one mouse click. :-)

I like that too!

Tor Browser should not store data into the application directory. It is against security and sandboxing.

It is 3 years old!

A blog about how to use sandboxing properly as a TB users (e.g. where to store downloads and why doing it right can help keep you safer) would be very useful I think. I have used TB almost from the beginning but am not confident I know how to use the sandboxing features correctly.

Danger! TOR BROWSER version 9.0 Android -9.* ALPHA Android.

A vulnerability in the Tor Browser (Android) - version 9.0 / 9.*.* (alpha)

The problem description concerns Tor Browser version 9.0 / 9.*.* (alpha) for Android operating system!
The reason for the vulnerability: - after clearing the cache online, cookies and other identification data remain in the browser.

Detailed description of the actions performed and the presence of the problem:
I do not make any changes to the settings, I do not use add-ons.
Using a clean browser
After clearing the cache from the browser menu, necessarily change the tor ID.
And under such conditions, the result is sad.

My action:

1) launch Tor Browser
2) on the main page about:tor in the "address input field" window, I register the site address
3) click, activate the link
4) the site page opens
5) enter login and password
6) click, for the authorization process.
7) the page is reloaded, authorization occurs
8) I make any actions necessary for me on the site under my login and password.
9) the site page is open, do not click (do not click) on the exit button - do not touch anything.
10) click, browser menu
11) I go to the browser settings menu, click: "clear private data"
12) browser reports: "personal data deleted"
13) close the browser menu
14) in the opened main browser window (about: tor) in the address input field, I register the address of the site where I just was.
15) click
16) the site page is loaded and opened
17) I see on the opened main page of the site that I am authorized and online!
18) I click for example: on the link to enter the personal account, and freely enter without entering the login and password, I can perform any actions without authorization.

THIS IS A SIGN THAT PERSONAL IDENTIFICATION DATA HAS BEEN STORED IN THE CACHE AFTER CLEANING! A SIMILAR PROBLEM is PRESENT IN all versions of Firefox, Tor Browser, IceCat WHEN USING "PRIVATE MODE". IN" PRIVATE MODE " THE BROWSER CACHE IS NOT CLEARED, PERSONAL IDENTIFICATION DATA REMAINS IN IT UNTIL THE BROWSER IS CLOSED. ONLY AFTER CLOSING THE PROGRAM WILL THE CACHE BE CLEARED COMPLETELY. THEREFORE, DO NOT USE "PRIVATE MODE".
To FIX the PROBLEM, you need to BLOCK the AUTOMATIC link TRANSITION to the "PRIVATE MODE" (browser.privatebrowsing.autostart; false )
IN TOR BROWSER VERSIONS 9.0-9.*.* (alpha) ANDROID this ISSUE CANNOT be RESOLVED.

I do not recommend using version 9.0 / 9.* - (alpha).

USE TOR BROWSER VERSION 8.5.6 (ANDROID) IT HAS THE ABILITY TO FIX THIS PROBLEM.
In the about:config SETTINGS, FIND: browser.privatebrowsing.autostart SET TO; false (browser.privatebrowsing.autostart; false )

Опасность! TOR BROWSER версий 9.0 андроид -9.*ALPHA андроид.

Уязвимость в Tor Browser (андроид) - версий 9.0 / 9.*.* (alpha)

Описание проблемы касается Tor Browser версий 9.0 / 9.*.* (alpha) для операционной системы андроид!
Причина уязвимости: - после очистки кеша онлайн, в браузере остаются файлы куки и прочие идентификационные данные.

Подробное описание совершаемых действий и присутствие проблемы:
Никаких изменений настроек не совершаю, не использую дополнения.
Пользуясь чистым браузером
После очистки кеша из меню браузера, в обязательном порядке меняю идентификатор TOR.
И при таких условиях результат печальный.

Мои действия:

1) запускаю Tor Browser
2) на главной странице about:tor в окне "поле ввода адреса" прописываю адрес сайта
3) кликаю, активирую ссылку
4) открывается страница сайта
5) ввожу логин и пароль
6) кликаю, для процесса авторизации.
7) страница перезагружается, происходит авторизация
8) совершаю любые необходимые мне действия на сайте под своим логином и паролем.
9) страница сайта открыта, не кликаю (не нажимаю) на кнопку выход - ничего не трогаю.
10) кликаю, меню браузера
11) вхожу в меню настроек браузера, нажимаю: "clear private data"
12) браузер сообщает: "личные данные удалены"
13) закрываю меню браузера
14) в открывшемся главном окне браузера (about:tor) в поле ввода адреса вторично прописываю адрес сайта где только что был.
15) кликаю
16) загружается и открывается страница сайта
17) вижу на открывшейся главной странице сайта, что я авторизован и нахожусь в онлайне!
18) кликаю например: на ссылку входа в личный кабинет, и беспрепятственно вхожу не вводя логин и пароль, могу совершать любые действия без прохождения авторизации.

ЭТО ПРИЗНАК, ЧТО В КЕШЕ СОХРАНИЛИСЬ ЛИЧНЫЕ ИДЕНТИФИКАЦИОННЫЕ ДАННЫЕ ПОСЛЕ ОЧИСТКИ! АНАЛОГИЧНАЯ ПРОБЛЕМА ПРИСУТСТВУЕТ ВО ВСЕХ ВЕРСИЯХ Firefox, Tor Browser, IceCat ПРИ ИСПОЛЬЗОВАНИИ "ПРИВАТНОГО РЕЖИМА". В "ПРИВАТНОМ РЕЖИМЕ" КЕШ БРАУЗЕРА НЕ ОЧИЩАЕТСЯ, В НЁМ ОСТАЮТСЯ ЛИЧНЫЕ ИДЕНТИФИКАЦИОННЫЕ ДАННЫЕ ДО ЗАКРЫТИЯ БРАУЗЕРА. ТОЛЬКО ПОСЛЕ ЗАКРЫТИЯ ПРОГРАММЫ КЕШ БУДЕТ ОЧИЩЕН ПОЛНОСТЬЮ. ПОЭТОМУ НЕ ИСПОЛЬЗУЙТЕ "ПРИВАТНЫЙ РЕЖИМ".
ДЛЯ УСТРАНЕНИЯ ПРОБЛЕМЫ НЕОБХОДИМО ЗАБЛОКИРОВАТЬ АВТОМАТИЧЕСКИЙ ПЕРЕХОД ПО ССЫЛКЕ В "ПРИВАТНЫЙ РЕЖИМ" ( browser.privatebrowsing.autostart ; false )
В ВЕРСИЯХ TOR BROWSER 9.0 - 9.*.* (alpha) ANDROID УСТРАНИТЬ ДАННУЮ ПРОБЛЕМУ НЕВОЗМОЖНО.

Не рекомендую использовать версии 9.0 / 9.* -(alpha).

ИСПОЛЬЗУЙТЕ TOR BROWSER ВЕРСИИ 8.5.6 (ANDROID) В НЕМ ЕСТЬ ВОЗМОЖНОСТЬ УСТАНИТЬ ДАННУЮ ПРОБЛЕМУ.
В НАСТРОЙКАХ about:config НАЙДИТЕ ПУНКТ: browser.privatebrowsing.autostart УСТАНОВИТЕ ЗНАЧЕНИЕ; false ( browser.privatebrowsing.autostart ; false )

Yes, clearing data does not work as it is supposed to work, see: https://trac.torproject.org/projects/tor/ticket/27592 for a ticket to track the problem. Help is appreciated.

Hi, since i download the new version (3 days ago), i cannot open Tor now. I use an other computer with a old version, but i loose everythink i had in may page. A window opens and say :
" firefox.exe - System Error
api-ms-win-crt-convert-l1-1-0.dll is missing from your computer? try reinstalling the program to fix the problem. "

I did it but it's a new page. How can i get my page again (whith all my bookmarks ? Sorry for my poor english.

You need to get the latest security updates on your Windows system. This .dll got shipped with one of those updates a while back.

So, which FBI agent was responsible for destroying Tor Button (again)?

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

3 + 4 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.