New Release: Tor Browser 9.0a8

Tor Browser 9.0a8 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This is the last alpha release before the first stable release in the 9.0 series, which is planned for next week. It contains various fixes and improvements. Among them, we added a New Identity button to the toolbar, we included Tor network settings into about:preferences, we fixed the App menu items on macOS, and we solved the issue which made the Android build non-reproducible.

Known issue:

  • While building this release and checking that the build is reproducible, we found that our linux32 and macOS bundles did not match. However this seems to be an intermittent issue, as triggering a rebuild caused our builds to match. We are currently investigating the issue.

If you find any issue with this release, please help us by reporting them so we can fix as much as we can before the first stable release based on ESR68, which is planned for next week, October 22.

The full changelog since Tor Browser 9.0a7 is:

  • All Platforms
    • Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
    • Bug 28196: about:preferences is not properly translated anymore
    • Bug 19417: Disable asmjs on safer and safest security levels
    • Bug 30463: Explicitly disable MOZ_TELEMETRY_REPORTING
    • Bug 31935: Disable profile downgrade protection
    • Bug 31811: Backport fix for bug 1554805
    • Bug 16285: Disable DRM/EME on Android and drop Adobe CDM
    • Bug 31602: Remove Pocket indicators in UI and disable it
    • Bug 31914: Fix eslint linter error
    • Translations update
  • Windows + OS X + Linux
    • Update Tor to 0.4.2.2-alpha
    • Update Tor Launcher to 0.2.19.5
      • Bug 31286: New strings for about:preferences#tor
      • Translations update
    • Bug 31286: Provide network settings on about:preferences#tor
    • Bug 31886: Fix ko bundle bustage
    • Bug 31768: Update onboarding for Tor Browser 9
    • Bug 27511: Add new identity button to toolbar
    • Bug 31778: Support dark-theme for the Circuit Display UI
    • Bug 31910: Replace meek_lite with meek in circuit display
    • Bug 30504: Deal with New Identity related browser console errors
    • Bug 31929: Don't escape DTD entity in ar
    • Bug 31747: Some onboarding UI is always shown in English
    • Bug 32041: Replace = with real hamburguer icon ≡
  • Windows
    • Bug 31942: Re-enable signature check for language packs
    • Bug 29013: Enable stack protection for Firefox on Windows
  • OS X
    • Bug 31607: App menu items stop working on macOS
    • Bug 31955: On macOS avoid throwing inside nonBrowserWindowStartup()
  • Linux
    • Bug 31942: Re-enable signature check for language packs
    • Bug 31968: Don't fail if /proc/cpuinfo is not readable
    • Bug 24755: Stop using a heredoc in start-tor-browser
    • Bug 31550: Put curly quotes inside single quotes
  • Android
    • Bug 31822: Security slider is not really visible on Android anymore
  • Build System
    • All Platforms
      • Bug 31293: Make sure the lo interface inside the containers is up
    • Windows
      • Bug 29013: Enable stack protection support for Firefox on Windows
    • Android
      • Bug 31564: Make Android bundles based on ESR 68 reproducible
      • Bug 31981: Remove require-api.patch
      • Bug 31979: TOPL: Sort dependency list
      • Bug 30665: Remove unnecessary build patches for Firefox
Anonymous

October 16, 2019

Permalink

Oh, fuck, it's #31286 damaged the default:

# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it

ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesuit exec TorBrowser\Tor\PluggableTransports\obfs4pr
ClientTransportPlugin snowflake exec TorBrowser\Tor\PluggableTransports\snowflake-client.exe -url https://snowflake-broker.azureedge.net/ -front ajax.aspnetcdn.com -ice stun:stun.l.google.com:19302
DataDirectory C:\Tor Browser\Browser\TorBrowser\Data\Tor
GeoIPFile C:\Tor Browser\Browser\TorBrowser\Data\Tor\geoip
GeoIPv6File C:\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6
ReachableAddresses *:80,*:443

Isolating obfs4proxy.exe by many different ways led to a situation where it died hard many times. And switching tor properties back and forth many times finally led to this bug occurred which prevented further experiments. But it is some piece of code that wrote a torrc truncated line, right?

What kind of bad things? What error messages do you get? And what second loop do you mean? How are you cycling through the built-in bridges?

I tried that with the release candidate for 9.5a1 but I did not get any broken bridge functionality.

So the odd thing about this is that none of the new code, nor any of the legacy code in tor-launcher or tor-button SETCONF ClientTransportPlugin, so I'm not sure how this could be happening.

Can you provide repro steps from a fresh TorBrowser install, along with logs?

Hi, Richard! Nice to see you here!
What I've found so far:
now, when "4pr" was replaced with a good one to make TBB work again, I tried to switch to a snowflake bridge, and it failed with:
"Bridge snowflake 0.0.3.0:1" line instead of two ClientTransportPlugin lines before the switch!
So, it seems it makes clearer who modifies torrc. Although, it would be much harder to reproduce that with a clean installation.

Also when I switched from obfs4 to meek-azure, the circuit display still shows obfs4.

It only gets updated when new requests get made and thus new resources for a site loaded. Or are you saying that obfs4 is still shown after you reloaded a page or something?

For more than a year I have tried and tried without success to report a GTK3 issue related to Tor in Debian 10 "Buster" (and even Debian 9) and wonder whether this could be the cause:

> In practice this means GTK3 file dialog is reset to its default behavior in all other programs that use it.

I mostly use Debian offline but I sometimes use Tor Browser in Debian 10, and I often use debian-tor to update the system. For the latter I use synaptic. And I keep getting weird error messages about GTK3 dialog, which possibly is the reason that the synaptic front end doesn't work quite right. Since updating the system and keeping the onion repos healthly are critical functions for users and for Debian Project respectively, this is an important issue and I feel it is not good that Tor Project has for some reason been supressing the problem.

There is no one suppressing anything here All we know about that issue us in our bug tracker. Maybe you are referring to https://trac.torproject.org/projects/tor/ticket/27903? If so, yes, this is still open and we need someone to come up with a patch (it could be you!).

TypeError: docShell.failedChannel is null NetErrorChild.jsm:844:32

How can I reproduce that error?

hi, bn, ta, kn, si_LK are TOFU on Windows 10.
https://bridges.torproject.org

On Android why is browser.safebrowsing.downloads.enabled
= false, Is it a security risk to enable? I want to save image and video files.

We don't have audited Safebrowsing, thus it is disabled across all platforms. That said, saving images and videos should work nevertheless. How are you trying to save those. I wonder whether you are actually hitting https://trac.torproject.org/projects/tor/ticket/31013.

I have the same results as descibed in the ticket you posted, also with video formats.
If I change about:config = true then it works. Being able to save entire web pages-not pdf only - would also be great.
thanks

> Bug 30681: Set security.enterprise_roots.enabled to false
https://bugzilla.mozilla.org/show_bug.cgi?id=1541012#c17
Hey, Mozilla started to break our security in dot releases!

I reported firefox.exe making outbound connections on 9.0a7. And it still does.
Since the release of 9.0a8, Firefox.exe has attempted to connect to:
92.123.195.41:80
92.123.195.57:80
205.185.216.42:80
205.185.216.10:80
5.102.166.10:80
5.102.166.9:80
It always happens shortly after starting TorBrowser. At which point I always create a temporary "block all" rule for the .exe. So I don't know what happens later.

Am I wrong, or is this a major bug?

add-ons?

2 new IPs:
8.250.151.254:80
13.107.4.50:80
but mostly one of the upper 6.

Do you have by chance some Firefox process run in parallel that might not be closed yet? That would explain all the requests and in particular the one to the Windows update server (as Tor Browser is not using Windows related update mechanisms at all).

Is ipv6 currently any threat to anonymity on Tor? Some have said it makes Tor useless because it sends your mac address out to the internet. We only ever hear about ipv4 addresses.

That's for Fennec as it ships. We ship Torbutton etc. in Tor Browser.

Off topic question: are there any corresponding changelogs or news files for packages in Tor Project's Debian repository? If so, what's the URL pattern?

at first start:
addons.xpi WARN Failed to parse recommendation: TypeError: NetworkError when attempting to fetch resource.(resource://gre/modules/addons/XPIProvider.jsm:228:15) JS Stack trace: awaitPromise@XPIProvider.jsm:228:15
syncLoadManifest@XPIInstall.jsm:746:22
addMetadata@XPIDatabase.jsm:2720:32
processFileChanges@XPIDatabase.jsm:3160:26
checkForChanges@XPIProvider.jsm:2965:55
startup@XPIProvider.jsm:2425:12
callProvider@AddonManager.jsm:215:31
_startProvider@AddonManager.jsm:651:5
startup@AddonManager.jsm:897:14
startup@AddonManager.jsm:3493:26
observe@addonManager.js:70:29

I'm trying to open https://read.amazon.com on the latest version of Tor but I get a black screen. It works fine on Tor versions below 7. I'm wondering if I can tweak the browser to get the web page to open.

Any insight is appreciated.

What Tor Browser version are you currently on?

I suspect that's kind of expected as Tor Browser is by default in private browsing mode not allowing things write to disk. Do you see the same thing in a Firefox when enabling private browsing mode?