New Release: Tor Browser 9.0a6

by boklm | September 5, 2019

Update 6/9 0600UTC: Added another known issue.

Tor Browser 9.0a6 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

This is the first alpha release based on Firefox ESR68, and therefore contains several important changes such as the rebasing of our Firefox patches, toolchain updates, integration of Torbutton directly into the browser and updates to Tor Launcher to make it compatible with ESR68.

If you find any issue with this release, please help us by reporting them so we can fix as much as we can before the first stable release based on ESR68, which is planned for October 22.

Known issues:

  • Tor Browser 9.0a6 is not reproducible on some platforms right now: We have issues on 32bit Linux, Windows, and Android. Those are planned to be fixed in the next alpha release, though, to give the usual guarantees reproducible builds aim to provide.
  • New Identity and the bridge configuration in the browser are not easily accessible anymore as we removed the onion button. We are currently working on a replacement for both: New Identity will be exposed directly in the toolbar and the bridge configuration gets integrated in the Firefox settings. For New Identity please use the shortcut (Ctrl+Shift+U) for now or the item in the hamburger menu.
  • We already have a number of known tickets we need to work on in the coming weeks. The most important ones are tagged with the tbb-9.0-must-alpha keyword. Moreover, we have accumulated Firefox 68 ESR related issues over the time that can easily be queried with our ff68-esr keyword.

The full changelog since Tor Browser 9.0a5 is:

  • All platforms
    • Update Firefox to 68.1.0esr
    • Update NoScript to 11.0.3
      • Bug 26847: NoScript pops up a full-site window for XSS warning
      • Bug 31287: NoScript leaks browser locale
    • Bug 30429: Rebase patches for Firefox 68 ESR
    • Bug 10760: Integrate Torbutton into Tor Browser directly
    • Bug 25856: Remove XUL overlays from Torbutton
    • Bug 31322: Fix about:tor assertion failure debug builds
    • Bug 31520: Remove monthly giving banner from Tor Browser
    • Bug 29430: Add support for meek_lite bridges to bridgeParser
    • Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
    • Bug 30683: Prevent detection of locale via some *.properties
    • Bug 31298: Backport patch for #24056
    • Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
    • Bug 27601: Browser notifications are not working anymore
    • Bug 30845: Make sure internal extensions are enabled
    • Bug 28896: Enable extensions in private browsing by default
    • Bug 31563: Reload search extensions if extensions.enabledScopes has changed
    • Bug 31396: Fix communication with NoScript for security settings
    • Bug 31142: Fix crash of tab and messing with about:newtab
    • Bug 29049: Backport JS Poison Patch
    • Bug 25214: Canvas data extraction on locale pdf file should be allowed
    • Bug 30657: Locale is leaked via title of link tag on non-html page
    • Bug 31015: Disabling SVG hides UI icons in extensions
    • Bug 31357: Retire Tom's default obfs4 bridge
  • Windows + OS X + Linux
    • Update Tor to 0.4.1.5
    • Update Tor Launcher to 0.2.19.3
      • Bug 29197: Remove use of overlays
      • Bug 31300: Modify Tor Launcher so it is compatible with ESR68
      • Bug 31487: Modify moat client code so it is compatible with ESR68
      • Bug 31488: Moat: support a comma-separated list of transports
      • Translations update
    • Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
    • Bug 31251: Security Level button UI polish
    • Bug 31344: Register SecurityLevelPreference's 'unload' callback
    • Bug 12774: Selecting meek in the browser UI is broken
    • Build System:
  • Windows
    • Bug 31547: Back out patch for Mozilla's bug 1574980
    • Bug 31141: Fix typo in font.system.whitelist
    • Backport fix for bug 1572844 to fix broken build
  • OS X
  • Linux
    • Bug 31403: Bump snowflake commit to cd650fa009
  • Android
    • Bug 31010: Rebase mobile patches for Fennec 68
    • Bug 31010: Don't use addTrustedTab() on mobile
  • Build System:
    • All Platforms:
      • Bug 30585: Provide standalone clang 8 project across all platforms
      • Bug 30376: Use Rust 1.34 for Tor Browser 9
      • Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
      • Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
      • Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
    • Windows
      • Bug 30322: Windows toolchain update for Firefox 68 ESR
        • Bug 28716: Create mingw-w64-clang toolchain
        • Bug 28238: Adapt firefox and fxc2 projects for Windows builds
        • Bug 28716: Optionally omit timestamp in PE header
        • Bug 31567: NS_tsnprintf() does not handle %s correctly on Windows
        • Bug 31458: Revert patch for #27503 and bump mingw-w64 revision used
      • Bug 9898: Provide clean fix for strcmpi issue in NSPR
    • OS X
      • Bug 30323: MacOS toolchain update for Firefox 68 ESR
      • Bug 31467: Switch to clang for cctools project
      • Bug 31465: Adapt tor-browser-build projects for macOS notarization
    • Linux
      • Bug 30321: Linux toolchain update for Firefox ESR 68
        • Bug 30736: Install yasm from wheezy-backports
        • Bug 31447: Don't install Python just for Mach
      • Bug 31394: Replace "-1" with "−1" in start-tor-browser.desktop.
    • Android
      • Bug 30324: Android toolchain update for Fennec 68
        • Bug 31173: Update android-toolchain project to match Firefox
        • Bug 31389: Update Android Firefox to build with Clang
        • Bug 31388: Update Rust project for Android
        • Bug 30665: Get Firefox 68 ESR working with latest android toolchain
        • Bug 30460: Update TOPL project to use Firefox 68 toolchain
        • Bug 30461: Update tor-android-service project to use Firefox 68 toolchain
      • Bug 28753: Use Gradle with --offline when building the browser part

Comments

Please note that the comment area below has been archived.

September 05, 2019

Permalink

I feel like something is wrong with this release.
not only did features like the "new identity" button disappear. and the browser feels more like a vanilla firefox than torbrowser (with stuff like pocket enabled, and settings changed).
but firefox.exe is also suddenly creating a firewall alert, trying to connect to a few IPs at port 80.

September 10, 2019

In reply to gk

Permalink

> while the onion button will be gone for good

You are not removing the security slider, are you? How will we access that?

September 05, 2019

Permalink

Can you tell phony Cloudflare to add the Firefox 68 UA to the whitelisted ones? We don't want to have to deal with captchas all the time again... Thanks!

September 05, 2019

Permalink

New Tor browser crashs on samsung s9.
Thanks for this bad version.
Orbot/Orfox was perfect.
Any solution?

September 05, 2019

Permalink

Thank you for linking to those bug reports in the blog post! I found issues #30662 and #31601 useful for understanding the (temporary) visual changes in the browser.

September 05, 2019

Permalink

Just installed /updated my Tor Browswer to 9.0.a6

And now all of the comments im Bookmarks are gone! Why is that ?!?
There were essential comments/infos on the related pages!
How can i get back these informations?

September 06, 2019

In reply to gk

Permalink

Thanks for the reply.
No, no not the bookmarks themelves - but the description fields are empty
Right-click on a bookmark -> Properties -> and then you get several fields (Name, Location, Tags, Keyword, Description) for each bookmark. Most essential one, of course, is "location"

For example: in my Tor-Blog Bookmark you can find the Description "Best Anonymous Browser in the world!".
And it's gone!
Other comments/description are way more important - and they are also gone.

I switched back to Tor-Browser 8.5.5 - and eyerthing is fine. All the fields filled with the information I hacked in over the last years.

OS is Linux (Fedora 5.2.11-200.fc30.x86_64 ) .

September 08, 2019

In reply to gk

Permalink

The field "Description" was replaced by "Keyword" in the properties of each bookmark. Guess that's the problem.

September 09, 2019

In reply to gk

Permalink

-O3 for JS?

September 06, 2019

Permalink

hello,
something's definitely wrong.
Operating system Mac OSX (version 10.14.6)!
After update nothing works anymore, Tor freezes, the settings can't be called - in short I can't use it. Had to restore version 9.0a4 (based on Mozilla Firefox 60.8.0esr) (64-bit) from backup.
Do other users also have such problems?

You are the first one reporting that. Does the problem still occur with a clean installation, e.g. to a different location like your Desktop (just drag the app there after double-clicking on the .dmg)?

Yes. Despite a clean installation, the two most obvious things that no longer work are "Quit" (I have to force-quit the application) and the "About" window no longer displays. I've not had it installed for very long, so there may be more discoveries yet to be made. (macOS 10.4.6)...

September 06, 2019

Permalink

Developer! In mobile versions of Tor Browser for Android devices there is a vulnerability when using "Privacy Tab". After authorization on the site and further closure of the "Privacy Tab" in the browser remain identification data that are not deleted after clearing the cache!
In tests: Re - visit the site after clearing the cache shows automatic registration on the site! In the process of developing the Tor Browser version 9.0a3 - 9.0.a6 for Android this vulnerability persists in the browser. This vulnerability is a constant security threat to all users of Tor Browser for Android!
Version 9.0a3 - 9.0a6 use is dangerous!

Offered to take a test:

1) log on to the website and complete the authorization.
2) do not click on the "exit" button, and clear the browser cache. Page closes. The browser will report: the data has been deleted.
3) re-enter the site without going through the authorization procedure.

You will see that you are logged into your account without entering a login and password.

******************************************************************
Разработчик! В мобильных версиях Tor Browser для андроид устройств наблюдается уязвимость при использовании "Privacy Tab". После авторизации на сайте и дальнейшего закрытия "Privacy Tab" в браузере остаются идентификационные данные которые не удаляются после чистки кэша!
При тестах : Повторное посещение сайта после чистки кэша показывает автоматическую регистрацию на сайте! В процессе разработки Tor Browser версий 9.0a3 - 9.0.a6 для андроид данная уязвимость в браузере сохраняется. Подобная уязвимость представляет постоянную угрозу безопасности всем пользователям Tor Browser для андроид!
Версиями 9.0a3 - 9.0a6 пользоваться опасно!

Предлагаю пройти тест:

1) войдите на сайт и пройдите авторизацию.
2) не кликайте на кнопку "выход", и очистите кэш браузера. Страница сайта закроется. Браузер сообщит: данные удалены.
3) повторно войдите на сайт не проходя процедуры авторизации.

Вы увидите, что вошли в свой аккаунт без ввода логина и пароля.

September 06, 2019

Permalink

#26847 This is not fixed as was stated. This full page pop-up occurs at the oddest of times. As I mentioned awhile ago, it is as relentless as a damn captcha. It even popped up on your email from today with this tor-announce! So please don't claim that it is fixed. Otherwise, thank you again for your work. Let us hope that soon this nuisance will go away. It is difficult to use the computer when it is in the way.

You mean you still get a *full page* popup? (Yes, there is still a popup in case NoScript thinks something is wrong, but it should be way smaller). Which NoScript version are you on? What is the suspicious URL NoScript is reporting?

September 09, 2019

In reply to gk

Permalink

Thank you gk for your reply. I am on 11.0.3 and yes, there was a full page popup that occurs and holds for a second prior to reducing to a smaller coverage. I don't have the one I mentioned's URL written down, although it came up when I opened your email. It occurs when certain, innocent emails like yours are clicked on and at other times. I usually don't do anything that seemingly causes it. After awhile, you see enough of them that you just want to stop them and get them away as quickly as poss. I know a couple of sights that are guaranteed to make them happen, even though the sites' safety you wouldn't expect compromised. Any thing I can do to help you I will try to do. (I am not as computer savvy as you are, I'm sure). Thanks again.

September 06, 2019

Permalink

After updating, this Tor Browser does not start in Whonix anymore (the script says "Exited with code 255").
And the freshly downloaded instance does not run either.
And the manual "sh -c ..." launch command appeas to launch it, but nothing really opens up.
Script changes?

September 09, 2019

In reply to gk

Permalink

Thanks for the possible fix.
I already downgraded this alpha to the stable version. That still runs good in the same system, as before.
I'll be looking for the next great alpha, though.
Thanks for your work!

September 06, 2019

Permalink

Georg, can we get an official statement on whether it's safe to switch to the black Firefox theme when we click on Hamburger Menu > Customize or does it engender fingerprinting concerns? (though I have 0 idea how it could be possible to determine the theme that one is using by JS unless of a potential bug)

September 06, 2019

Permalink

OS: Windows_10 x64 Enterprise 1903 18362.239
Tor 8.8.5
--------------

I can't connect to TOR.
How can I connect to TOR ?

However
Connection is possible when Windows Firewall is disabled.

(I use Maiwarebyte Firewall controll.
Usually set as follows.
Medium Filtering
   Outgoing connections that do not match a rule are blocked)

[img]https://i.imgur.com/MDzqX1b.jpg[/img]

Tor is installed below.
C: \ Tor Browse \ Browser

When installing to the original desktop directory,
it was possible to connect to TOR.

-------------------------
[img]https://i.imgur.com/3OoHUIU.jpg[/img]
--------------------------

Error Log:

9/7/19, 02:42:56.770 [WARN] Problem bootstrapping.
Stuck at 0% (starting):
Starting. (Permission denied [WSAEACCES ];
RESOURCELIMIT; count 10;
recommendation warn;
XXX)
9/7/19, 02:42:56.950 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
9/7/19, 02:42:56.960 [NOTICE] DisableNetwork is set.
Tor will not make or accept non-control network connections.
Shutting down all existing connections.
9/7/19, 02:42:56.960 [NOTICE] Delaying directory fetches: DisableNetwork is set.

-------------------

September 06, 2019

Permalink

I have to correct, not *all* of the fields are empty, but the "Description" field, where I used to store my notes.

September 07, 2019

Permalink

This release doesn't start as a native wayland client, even with the GDK_BACKEND=wayland variable. Sad.

> Tor Browser must be run within the X Window System.

September 07, 2019

Permalink

I'm using tor android. Browser has an option to play video on browser's player from websites. Also have an option to save the video. The problem is when i save a video by choosing that option nothing happened. I repeatedly complained on Google play review since more than 1 years. Please help me. What was the problem.

September 08, 2019

Permalink

Already told you but i say it again, it's impossible to close the app Tor, I have to do Alt+Cmd+Esc to close it. I am on Mac OX 10.13.6.
I hope a new release soon. Thanks

September 08, 2019

Permalink

Configuring an Android-based mobile device for authenticated Version 2 Onion Services

how does it works with the new Tor Browser 8.5.5
i cannot find the torrc and with orbot is doesn't work

How did you used to configure authenticated v2 versions? And what do you mean with Orbot it does not work? We did not change anything in Orbot. In fact, we are not even using Orbot (anymore) in the browser.

September 08, 2019

Permalink

In April of this year @gkgk assured us releasing a separate APK of new Tor Browser (not Orfox) for Android devices. What happened to it? You very well know that new Tor Browser does not support Alwasy-on VPN functionality and the entire Tor network shuts down when you exit new Tor Browser.

Also, Orbot and new Tor Browser do not work together.

Orbot on the other hand, has supported such features and no data leak is possible due to Android's new "Block connection without VPN" function. This is right now the only way to completely tunnel entire Android over Tor network.

We just need a separate APK of Tor Browser which can be used over Orbot.

Looking forward to your response.

Ref.: Reddit Post That Inspired Me!

September 09, 2019

Permalink

Latest version added a permission in android to change audio settings. What's the purpose of that?

September 16, 2019

In reply to gk

Permalink

It's not triggered, since it's not one that can be denied. It's listed as a new permission in the "other" group when viewing the permissions on the play store page. The name may vary by device but for me it's "change your audio settings."

September 09, 2019

Permalink

the new alpha 9.0a6 does not start at all in debian 10, not from source folder and not from command line either. it pauses as if it wants to start but nothing happens?
fresh install from torproject, sig verified, linux 64bit

September 11, 2019

Permalink

Tor Browser 9.0 Alpha 6 does not use all localization files, except the Connecting window all other strings on Welcome page and menus instead on Macedonian are on English!
* Also I have reported this on ticket #30468 4 days ago.

September 14, 2019

Permalink

Received unexpected result type undefined, falling back to typed transition. WebNavigation.jsm:217
onURLBarUserStartNavigation resource://gre/modules/WebNavigation.jsm:217
observe resource://gre/modules/WebNavigation.jsm:136
_notifyStartNavigation resource:///modules/UrlbarInput.jsm:1364
_loadURL resource:///modules/UrlbarInput.jsm:1240
handleCommand resource:///modules/UrlbarInput.jsm:446
_initPasteAndGo resource:///modules/UrlbarInput.jsm:1333

September 17, 2019

In reply to gk

Permalink

Compile without them and prove shipped builds are not affected (by comparing hashes). FWIW, it was a confirmed bug in Firefox.

September 17, 2019

In reply to gk

Permalink

Updated TBB and got HTTPS-E 2019.6.17 with rulesets, which updated to 2019.9.13 only after several days. And there is no way to force them updating.

September 17, 2019

Permalink

RemoteWebProgress failed to call onStatusChange: [Exception... "JavaScript component does not have a method named: "onStatusChange"'JavaScript component does not have a method named: "onStatusChange"' when calling method: [nsIWebProgressListener::onStatusChange]" nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)" location: "JS frame :: resource://gre/modules/RemoteWebProgress.jsm :: _callProgressListeners :: line 119" data: no]
2 RemoteWebProgress.jsm:121
_callProgressListeners resource://gre/modules/RemoteWebProgress.jsm:121
onStatusChange resource://gre/modules/RemoteWebProgress.jsm:172

September 18, 2019

In reply to gk

Permalink

I can't disclose that website, but this error doesn't appear on stable.

September 22, 2019

Permalink

I haven't been using TB much in the past few months, but I did a fresh install today because I encountered minor issues I thought could have been caused by a faulty update through the browser's update prompt... happened to notice that NoScript, HTTPS Everywhere, and any other "built-in" extensions don't seem to be present. Is this intentional? [did not change any settings; launched right after clean install] Security Level is present on the toolbar, however...

Thx.

What makes you believe they are not present? Are they visible on the about:addons page? Note we re-did the toolbar in Tor Browser 8.5 where where we hid those two extensions from the toolbar (but they are still there).