New Release: Tor Browser 9.0a1

Tor Browser 9.0a1 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

Tor Browser 9.0a1 is the first release in the 9.0 alpha series. It contains all the improvements and fixes from the 8.5 release as well as other new features:

  • Tor Launcher is getting tighter integrated into the browser as a preparation step for the switch to Firefox 68 ESR. That results in it not showing up anymore on the about:addons page while still being available (and we don't need to make a code-signing exception for it either anymore, which is nice). See the underlying proposal for this decision for full details.
  • We backported Mozilla's Letterboxing feature which allows us to finally tackle the problem of not properly rounded screen dimensions in case users start to maximize or otherwise resize the browser window. Letterboxing is off by default for now, although we plan to enabled it in one of the upcoming alpha releases. If you want to check it out and report issues please add the privacy.resistFingerprinting.letterboxing preference on about:config and set it to true. Many thanks to Tom Ritter and anyone else at Mozilla who has been working on that problem and designing the current approach.

The full changelog since Tor Browser 8.5a12 is:

  • All platforms
    • Update Firefox to 60.7.0esr
    • Update Torbutton to 2.1.9
      • Bug 30069: Use slider and about:tor localizations
      • Bug 30115+27449+25145: Map browser + domain -> credentials to fix UI issues
      • Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate
      • Bug 30425: Revert armagadd-on-2.0 changes
      • Bug 30497: Add Donate link to about:tor
      • Bug 30464: Add WebGL to safer descriptions
      • Translations update
    • Update HTTPS Everywhere to 2019.5.6.1
    • Bug 24622: Proper first-party isolation of s3.amazonaws.com
    • Bug 30425: Revert armagadd-on-2.0 changes
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.19
      • Bug 28044: Integrate Tor Launcher into tor-browser
      • Bug 29627: Moat: add support for obfsproxy's meek_lite
      • Bug 30139: Remove FTE bits
      • Translations update
    • Bug 28044: Integrate Tor Launcher into tor-browser
    • Bug 30372: Backport letterboxing (bug 1538130)
    • Bug 28369: Stop shipping pingsender executable
    • Bug 30457: Remove defunct default bridges
    • Bug 29045: Ensure that tor does not start up in dormant mode
    • Bug 29641: Try to connect over IPv6 if needed
  • Windows
  • OS X
    • Bug 30241: Bump snowflake version to d11e55aabe
  • Linux
  • Android
    • Bug 29982: Force single-pane UI on Tor Preferences
    • Bug 30086: Prevent Sync-related crashes on Android
    • Bug 30214: Kill background thread when Activity is null
    • Bug 30239: Render Fragments after crash
    • Bug 30136: Use 'Tor Browser' as brand name on mobile, too
    • Bug 30069: Use slider and about:tor localizations
    • Bug 30371: Stop hard-coding the content provider name in tor-android-service
    • Bug 30162: Tor Browser bootstrap process got stuck after interrupting it
    • Bug 30166: If specified, only use custom bridges for connecting
    • Bug 30518: Add SocksPort flags for consistency across platforms
    • Bug 30284: Fix broken start-up on KitKat devices
    • Bug 30489: Remove Unused Resources from tor-android-service
  • Build System
    • Windows
      • Bug 29307: Use Stretch for cross-compiling for Windows
      • Bug 29731: Remove faketime for Windows builds
    • Linux
      • Bug 30377: Remove selfrando from our build system
      • Bug 30448: Strip Browser/gtk2/libmozgtk.so
    • Android
      • Bug 29981: Add option to build without using containers
      • Bug 30169: Switch to our tor-android-service repo
      • Bug 30404: Remove Orbot Project
      • Bug 30280: Wrong SHA-256 sum for j2objc-annotations-1.1.jar
Anonymous

May 22, 2019

Permalink

So much work! Thank you so much to the Tor Browser team + UX team (antonela o/) and also the hard working people at Mozilla (especially those contributing to antifingerprinting and 1stpartyisolation)!

The "add" is key. To quote from the blog post, "… add the privacy.resistFingerprinting.letterboxing preference …". Try right click in the list, "new" and then "boolean".

Anonymous

May 22, 2019

Permalink

Does this update fix the ddos exploitation?Tor is unsafe until this is fixed. How could you tell people they are safe with this bug. You all should be ashamed . Please fix this problem NOW or discontinue tor

Entitled much?

How about doing some basic reading on the issue before commenting?

You're commenting on a blog post about the Tor Browser release, but the issue needs to be fixed within Tor, so your comment is completely displaced here. So is your wording.

It's also not some trivial bug which can be fixed on the fly because you told so, solving this will need fundamental changes within the tor protocol itself, which naturally needs to take the possible consequences in account.

And yes, they're working on it. Parent ticket here: https://trac.torproject.org/projects/tor/ticket/29999

It's just annoying to have every single Tor Browser release announcement spammed with this shit - even more with that attitude dear..

Anonymous

May 22, 2019

Permalink

No one cares about these little fucking fixes. People are being Deanonomized by kid hackers in 10 minutes with little resource using tor . PLEASE STOP TELLING PEOPLE THEY ARE SAFE OR FIX THE FUCKING CRYPTO BUG that allow children to bring down government sites with ease? How can you even allow people to download this software

Anonymous

May 22, 2019

Permalink

Selfrando was a big news. No hope for this protection on Linux?

We don't plan to move forward with Selfrando deployment as it is not much more work for a browser attacker to bypass it [...] All in all I think the gains for our alphas are not worth the effort.
(from https://trac.torproject.org/projects/tor/ticket/30377 above)

That ticket states one opinion and no team discussion. Was this a well-researched conclusion?

Anonymous

May 22, 2019

Permalink

How do you invert the colors on Tor Browser? I tried changing the text and background values here, but the background is still a blinding white.

Preferences | Fonts & Colors | Colors | Text and Background

Would changing these values make it easier for trackers to id my browser?

Unfortunately Overrride | Always didn't work for me. I found a comment elsewhere that said changing the background color doesn't work on some operating systems. Compton was suggested so I used that.

I guess you misunderstood or maybe I did. Could you please take a look again at this Reddit post?

I tested the 8.5 version on Android and it starts with another instance of Orbot in the background just like it had been since last year release. So please forgive me to ask this again, but how this release gives us a separate Tor Browser APK that can work with The Guardian Project's standalone Orbot APK?

Please shade some lights.

The only separate Tow Browser APK I found to be working is 60.2.1 version of Tor Browser for Android (Alpha), which was released last year before new release got merged with Orbot.

Thank you for that info. But isn't that request something a bit different than requested here? There, the user does not want to use Orbot while here it's the main requirement along with a separate Tor Browser apk.

Earlier I thought this request to be solved sooner since @gk looked promising to push it in the upcoming release. Biggest disadvantage of current release is losing Android's Always-on VPN function. Which prevents data leaks and forces all apps to pass through Tor.

I am hopeful that Tor devs will come out with some solution soon.

Ref.: https://blog.torproject.org/comment/281763#comment-281763

If I understand you correctly, you either want a Tor Browser APK that doesn't contain the tor binary, or you want an option to disable Tor Browser Bundle's tor binary and tell Tor Browser to use Orbot's tor binary. Orbot basically is the tor binary packaged by Guardian Project. If the first one is what you meant, then gk answered your question. "If you mean "no included Tor [binary]" that won't happen and is done so by design." If the second one is what you meant, then the ticket sysrqb pasted is a bit unclear about which Orbot-- Tor Browser Bundle's at the time or Guardian Project's --the ticket wants to disable. The ticket says "built-in Orbot" which, if it means TBB's, is the second of my two guesses about what you meant. If the ticket means Guardian Project's, then you should create a new ticket.

Names need clarity if there are multiple meanings. Tor (capital T), tor (lowercase t), Tor Browser, Tor Browser Bundle, Tor Project, and which Orbot.
https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#UsageofTora…
https://support.torproject.org/misc/glossary/#tor-/-tor-network/-core-t…

Anonymous

May 23, 2019

Permalink

I just updated to version 9.0a 1, everything`s fine. But now I can`t open the stable version any more. Trying to do this I get the following message:

Error: proxy server denies connection
Firefox has been configured to use a proxy server that rejects the connection.

What can I do to be able to use both the stable version and the alpha version?

I am using macOS Mojave 10.14.5 and have both versions installed in my MacBook Pro application folder.

About 2 years ago the described problem occurred already once. At that time, the solution was to completely delete and reinstall both versions of TorBrowrser.

Where do you have both versions installed, too? The problem is probably that you just installed them as usual into /Applications. But that very likely breaks as now the first Tor Browser is getting installed there and the user profile is created in /Application\ Support/TorBrowser-Data/. If you install the second one (say, the alpha) at the same location the user profile does not get overwritten and you are using the one for Tor Browser stable which could cause all sorts of issues.

I decided to only use the stable version in the future because I don't have the time to get involved with this problem. I have removed the alpha version, since then there are no more problems.

Thanks for your efforts.

Anonymous

May 23, 2019

Permalink

A lot of changes for Android, and there's no update on Google Play.
There's a new stable Tor release available, but you shipped old 0.4.0.4-rc.
Something is definitely wrong with your Release Management.

Thanks for the report. I see 9.0a1 on Google Play. Does it show up for you now? Yes, we could have shipped 0.4.0.5. However, this is an alpha channel and 0.4.0.4-rc was the last Tor alpha release. Thus, you could argue we are good here as well. Anyway, a new alpha got released two days ago and we will pick that one up in the next point release.

Now yes. But where is the link to it in this blog post and in the download page?
No, you are not good with testing new Tor features using rc when stable is available.
And it's not good to pick up 0.4.1.x Tor, when you are preparing to ship 0.4.0.x to stable.

The alpha is used for a bunch of purposes. One is to test the next Tor Browser stable, yes. But at the same time it is used for the network team to find client side bugs as good as possible which is why it is important to ship new Tor alphas in Tor Browser's alpha series to give them a wider testing.

Anonymous

May 23, 2019

Permalink

5/23/19, 17:38:45.720 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
5/23/19, 17:38:46.480 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay
5/23/19, 17:38:46.225 [NOTICE] Bootstrapped 15% (handshake_done): Handshake with a relay done
5/23/19, 17:38:46.227 [NOTICE] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
5/23/19, 17:38:46.230 [NOTICE] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
5/23/19, 17:38:46.232 [NOTICE] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
5/23/19, 17:38:52.746 [WARN] Problem bootstrapping. Stuck at 95% (circuit_create): Establishing a Tor circuit. (Network is unreachable [WSAENETUNREACH ]; NOROUTE; count 1; recommendation warn; host 9B24B2149631167704362E07356A9E9BFC1F0F05 at 2a01:4f9:2a:3d9:200::201:9001)
5/23/19, 17:38:52.758 [NOTICE] Bootstrapped 100% (done): Done
5/23/19, 17:38:52.761 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
5/23/19, 17:38:52.761 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
5/23/19, 17:38:52.761 [NOTICE] Delaying directory fetches: DisableNetwork is set.
WTF?

Seen same

5/31/19, 17:30:48.736 [WARN] Problem bootstrapping. Stuck at 30% (loading_status): Loading networkstatus consensus. (Network is unreachable; NOROUTE; count 2; recommendation warn; host B84F248233FEA90CAD439F292556A3139F6E1B82 at 2a00:1298:8011:212::164:9004)

Some reason it tries IPv6 address.

Anonymous

May 25, 2019

Permalink

  1. Tor WARN: Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (Network is unreachable [WSAENETUNREACH ]; NOROUTE; count 2; recommendation warn; host 9B24B2149631167704362E07356A9E9BFC1F0F05 at 2a01:4f9:2a:3d9:200::201:9001)<br />
  2. Tor WARN: 1 connections have failed:<br />
  3. Tor WARN: 1 connections died in state connect()ing with SSL state (No SSL object)

It looks like Tor tries IPv6 in IPv4 network...

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

15 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.