New Release: Tor Browser 9.5.1

Tor Browser 9.5.1 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 68.10.0esr and NoScript to 11.0.32.

Also, this release features important security updates to Firefox.

The Windows installer is now code signed with a new Authenticode certificate. Please report any issues you encounter with this version.

The full changelog since Tor Browser 9.5 is:

  • All Platforms
    • Update Firefox to 68.10.0esr
    • Update NoScript to 11.0.32
    • Translations update
    • Bug 40009: Improve tor's client auth stability
  •  Windows + OS X + Linux
    • Bug 34361: "Prioritize .onion sites when known" appears under General
    • Bug 34362: Improve Onion Service Authentication prompt
    • Bug 34369: Fix learn more link in Onion Auth prompt
    • Bug 34379: Fix learn more for Onion-Location
    • Bug 34347: The Tor Network part on the onboarding is not new anymore
PETER

July 01, 2020

Permalink

For quite a while now, the Windows' Torbrowser seems to forget/erase DuckDuckGo searches, so that if a link is clicked in a search and it proves no good, when the browser back button is clicked to go back to the search, DuckDuckGo reverts to a blank starting page, not the previous search results. Very annoying and inconvenient. Is this a cache thing or is there some setting in config that can be changed?

(It does not affect the Android version of TorBrowser, strangely enough)

this is what I figured the cause was as well

When you search from the address bar your search terms are sent in a POST request to https://duckduckgo.com/, but when you search from the website they're sent in a GET request to https://duckduckgo.com/?q=your+search+terms. When you click the back button, it doesn't do the same POST request, so instead of searching it just brings you to the DuckDuckGo homepage.

This happens on Startpage too. I think it's a privacy feature of the site, (cache-control: max-age=1), so that searches aren't saved in browser history or restore tabs for example. Sometimes I actually get a "Document Expired" error, and reloading the page goes back to the home page.

PETER

July 01, 2020

Permalink

Running a fully updated version of the current release of fedora.

Got the notice several hours ago about the new version 9.5.1 of Tor Browser and clicked the up arrow icon to restart to update.

a small alert window with a progress bar says something like "tor is installing your updates..." and very quickly it finishes and disappears and tor browser opens. But the version still says 9.5 and when I click View Changelog is still says Release Date June 2 2020.

I tried closing and opening tor browser several times several hours ago and again now, but it doesn't actually update. I saw similar behavior the last couple updates, too, but after restarting one or two times then the update worked.

Thank you to your team, I love using Tor & Tor Browser.

Your description sounds like there is a failure in the applying the update. Tor Browser downloads an update and verifies its integrity. After that is successful, the browser notifies you that an update is available and restarting the browser will install it. When the browser restarts, it tries applying the update. When this process fails, then the browser remains on the current version.

You may find a useful/informative log file in the Tor Browser directory under Browser/TorBrowser/UpdateInfo/updates/last-update.log. Some more details can be found on this page https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Platform_I…

Do you see that file and any errors in that file?

Thanks for your answer. Here's the content of the update log:

PATCH DIRECTORY /home/x/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/UpdateInfo/updates/0
INSTALLATION DIRECTORY /home/x/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser
WORKING DIRECTORY /home/x/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser
UPDATE TYPE partial
PREPARE PATCH updater
PREPARE PATCH tbb_version.json
PREPARE ADD removed-files
PREPARE ADD precomplete
[...]
EXECUTE PATCH libxul.so
### execution failed

[edited: trimmed content]

Yes, the last two lines are:
failed: 64
calling QuitProgressUI

The last several lines before that are:

FINISH PATCH browser/features/onboarding@mozilla.org.xpi
backup_restore: cannot get info for backup file: browser/features/onboarding@mozilla.org.xpi.moz-backup, err: 2
FINISH PATCH browser/blocklist.xml
backup_restore: cannot get info for backup file: browser/blocklist.xml.moz-backup, err: 2
FINISH PATCH application.ini
backup_restore: cannot get info for backup file: application.ini.moz-backup, err: 2
FINISH PATCH TorBrowser/Tor/tor
backup_restore: cannot get info for backup file: TorBrowser/Tor/tor.moz-backup, err: 2
FINISH PATCH TorBrowser/Docs/ChangeLog.txt
backup_restore: cannot get info for backup file: TorBrowser/Docs/ChangeLog.txt.moz-backup, err: 2
FINISH ADD TorBrowser/Data/Browser/profile.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
backup_restore: cannot get info for backup file: TorBrowser/Data/Browser/profile.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi.moz-backup, err: 2

Thanks. That "failed:" number indicated the update failed while it tried writing an updated version of a file onto your hard drive. As the below comment suggests, this could be due to having insufficient disk space for the new version. Firefox (and Tor Browser) do not handle this situation well.

PETER

July 01, 2020

Permalink

I´ve noticed enterprise policies are working again. Does that mean it´s now considered safe?

PETER

July 01, 2020

Permalink

Hi,

The browser does not open and sometimes even if it opens the tab crashes. The OS is Windows 8.1 Pro, 64 bit and Antivirus is Quick Heal Internet Security Essentials. I tried disabling the antivirus, firewall but nothing seems to work. Please help...

" trade-off: break the web or reveal the OS. "

That's no explanation for i'm forced to reveal the real OS, especially with Javascript on.
Suddenly, the devs switch off this Anti-Fingerprinting Defense.
ALL older versions have had this feature and it's strange to make it impossible to spoof the usaeragent.

PETER

July 03, 2020

Permalink

--
Hello! Need some help:

There is a discussion with OpenNet-site owner to provide onion-mirror of the site - https://www.opennet.ru/openforum/vsluhforumID4/591.html
It looks like OpenNet is already quite friendly to Tor-users, unfortunately owner is quite conservative and requests the reasons to run onion-service. Have to say I share some his concerns and thus I did a brief web-search:

https://community.torproject.org/onion-services/
--
What are Onion Services?
Onion services are services that can only be accessed over Tor.
Running an onion service gives your users all the security of HTTPS
with the added privacy benefits of Tor Browser.
--

https://riseup.net/en/security/network-security/tor/onionservices-best-…
--
Onion services don’t need to be hidden!
You can provide a onion service for a service that you offer publically on a server that is not intended to be hidden.
Onion services are useful to protect users from passive network surveillance,
they keep the snoopers from knowing where users are connecting from and to.

--
Ask your favorite online service to provide an onion service!
Advocate for more onion services by asking those who provide the services that you use to make them available.
They are easy to setup and maintain, and there is no reason not to provide them!
--

Summarizing the above - onion-version of OpenNet may
* bring some (what?) "added privacy benefits" to users.
* "keep [the evils] from knowing where users are connecting from"
- Could you please say - What did I miss?

Concerning RiseUp's "there is no reason not to provide them" - the site-owner argues that extra functionality potentially increase number of vectors for attacks. Thus "there is no reason not to" - is not a reason to do :-)

Could anybody provide more arguments for adding onion-service?

Personally I see the reason to keep a browsing within TorNetwork
* to avoid ClearNet DNS-requesrs and
* (probably) avoid pumping Web-traffic via any of TorExitNodes (as ones are potentially more risky?).
- so this is all about "to protect users", are there any other reasons?
Dos it mean that all the onion-stuff is about - "to protect users"? Does onion-version protects users sufficiently better than Tor+HTTPS?

Also unfortunately https://www.eff.org/pages/tor-and-https does not illustrates the situation with onion-services.
So -
* What are benefits of visiting site-onion-version over Tor+HTTPS for users?
* Are there pitfalls of keeping site-onion-version for site maintainers?

Also https://community.torproject.org/onion-services/overview/
provides some descriptions -
* "Location hiding" - it is not hidden site, seems like unnecessary for this situation
* "NAT punching" - not sure about, seems like unnecessary for this situation
* "End-to-end authentication" - i.e. about avoiding DNS-attacks and MITMs
* "End-to-end encryption" - i.e. strong crypto

Are there any advocates to help to point to extra reasons to prepare onion-service of opennet.ru?
--

PETER

July 04, 2020

Permalink

My Tor Browser reveals all the fonts that I have when I have JavaScript enabled. For that reason, I can't enable JavaScript or else my fingerprint is in fact very unique according to EFF Panopticlick and others. What can I do?

It does not, Tor Browser only reveals a small amount of installed fonts. See the following information at https://2019.www.torproject.org/projects/torbrowser/design/#fingerprint… (search for "6. Fonts"):

"For Windows and macOS we use a preference, font.system.whitelist, to restrict fonts being used to those in the whitelist. This functionality is provided by setting privacy.resistFingerprinting to true. The whitelist for Windows and macOS contains both a set of Noto fonts which we bundle and fonts provided by the operating system. For Linux systems we only bundle fonts and deploy a fonts.conf file to restrict the browser to use those fonts exclusively. In addition to that we set the font.name* preferences for macOS and Linux to make sure that a given code point is always displayed with the same font. This is not guaranteed even if we bundle all the fonts Tor Browser uses as it can happen that fonts are loaded in a different order on different systems. Setting the above mentioned preferences works around this issue by specifying the font to use explicitly. "

PETER

July 04, 2020

Permalink

TorBrowser for Android: after version 9.5 finally stopped leaking locale in the http_accept headers, version 9.5.1 unfortunately shows this behavior again. Why?

PETER

July 04, 2020

Permalink

HELLO everyone.

How can I fully turn off telemetry and associated things? Because in last update settings like "allow Mozilla collect data..." got removed from setting`s panel and how I understood due to comments session - its now switched on by default...

PETER

July 05, 2020

Permalink

Yo sooo for some reason I have a bug that whenever I open links from other apps like let's say I oppend a link from an email tor will not load the link even if I refresh it

PETER

July 05, 2020

Permalink

Scan Started Wed May 20 04:38:00 2020 (ClamWin Antivirus+ClamSentinel active shield)
C:\...\torbrowser-install-9.5a12_en-US((32bit)).exe: Win.Malware.Nymeria-6913499-0 FOUND
C:\...\torbrowser-install-9.5a12_en-US((64 bit)).exe: Win.Malware.Nymeria-6913499-0 FOUND
What about that?

PETER

July 05, 2020

Permalink

If http download via Tor Browser itself doesn't work, what is the fallback?

In recent weeks I have often experienced the following while trying download various files in various formats from various sites, including TBB 9.5.1 from this site (both the www and onion version), using Tor Browser:

Initially the download seems to be proceeding normally, but when it is about 90% complete (independent of file size) the connection is severed. Clicking "reload" sometimes starts from byte 0 and then fails, and sometimes loads a few more bytes and then fails.

In such cases I have only been able to obtain the file using

torify wget -c ""

but this does not work for onion sites.

Three questions:

o is there an innocuous explanation for these download failures?

o can Tor Project suggest a workaround?

o seeing the "onion available" notice at right in the URL pane is very nice feature, but shouldn't (left? right?) clicking on that notice load the onion version? This does not seem to work for me.

PETER

July 06, 2020

Permalink

it's not working well on macos Big Sur beta , whatever website i open it shows a blank page , it loads the page but everything is hidden

PETER

July 09, 2020

Permalink

I think this topic is an ongoing issue; please correct if I am wrong. I want privacy/safety as we all do. Adjusting script threshold lower does not sound like a good idea (to me). Can you somehow shorten or eliminate the devilish NoScript warning that leaps onto the screen filling and covering the page that I am looking at and then getting smaller although still covering my work? It doesn't seem to care what site I am on and affects my using the computer. It happens too often and is always annoying. I get to where picking the choices is not as good as just x'ing it out. Give it some thought. Thank you.

PETER

July 13, 2020

Permalink

Thank you Tor Project for the amazing work you do! We love you!

It seems TB 9.5.1 is allowing ads through, and suggests terms when I start typing in the url field: things that the previous TB version I had did not do. This is even on "Safest" security settings. I know how to change these behaviors, but I generally never modify TB's settings, as it makes me more unique. Are these changed behaviors known and on purpose? This is on Linux Mint 19.3 and 20 with TB 9.5.1.

PETER

July 26, 2020

Permalink

For the last 2 releases there's been a large border around the browser. The thickness of this border depends on the width and height of the browser. When the browser is in full screen, the left and right borders are pretty wide and the bottom one is extremely wide (I would guesstimate it to be about 10% of the window height).

Here are a few notes from some troubleshooting I've done.

  • I have tried with the light, dark and default themes and the issue persists.
  • This issue is present no matter the website I'm on (onion or not), but isn't when I'm on Tor browser option pages.
  • Zooming in and out doesn't do anything.