New Release: Tor Browser 9.0a4
Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
This release features important security updates to Firefox.
Tor Browser 9.0a4 contains updates to a number of bundle parts, most importantly Firefox (60.8.0esr) and Tor (0.4.1.3-alpha).
In our ongoing efforts to reach more users with Tor Browser, we include native Macedonian bundles for the first time and ship Tor Browser for the aarch64 architecture on mobile (note: the aarch64 build is not currently available on Google Play. You can however download it from our distribution directory, along with its signature). Additionally, we have implemented fixes for accessibility support on Windows systems (big thanks to Richard Pospesel for the hard work here), which now deserve a wider testing. Finally, letterboxing is now being enabled by default. Please give it a try if you can, so we can iron out bugs before we ship it to all users starting with Tor Browser 9.
Similarly to the stable series we include a fundraising banner to help us getting more donations. Please donate if you can!
The full changelog since Tor Browser 9.0a3 is:
- All platforms
- Update Firefox to 60.8.0esr
- Update Torbutton to 2.2.1
- Update Tor Launcher to 0.2.19.2
- Bug 30468: Add mk locale
- Translations update
- Update HTTPS Everywhere to 2019.6.27
- Bug 31055+31058: Remove four default bridges
- Bug 30849: Backport fixes for Mozilla's bug 1552627 and 1549833
- Windows + OS X + Linux
- OS X
- Bug 30631: Blurry Tor Browser icon on macOS app switcher
- Bug 28119: Tor Browser for aarch64
Tor Project's certificate is poisoned.
For a specific example, take a look at the Tor Project signing key:
$ apt-key adv --recv-keys --keyserver keys.gnupg.net 886DDD89
gpg: requesting key 886DDD89 from hkp server keys.gnupg.net
gpg: packet(13) too large
gpg: read_block: read_error: invalid packet
gpg: Total number processed: 0
gpg: no valid OpenPGP data found.
This SKS keyserver poisoning is going to destroy the entire PGP system:
Impact of SKS keyserver poisoning on Gentoo (Jul 3, 2019)
The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.