New Release: Tor Browser 9.5

Update [06/03 15:40 UTC]: Added developers docs for enabling onion-location and client authentication.

Tor Browser 9.5 is now available from the Tor Browser download page and also from our distribution directory. The Android version is also available from Google Play and should be available from F-Droid within the next day.

This release includes important security updates to Firefox.

This new Tor Browser release is focused on helping users understand onion services.

Tor's onion routing remains the best way to achieve end-to-end anonymous communication on the Internet. With onion services (.onion addresses), website administrators can provide their users with anonymous connections that are metadata-free or that hide metadata from any third party. Onion services are also one of the few censorship circumvention technologies that allow users to route around censorship while simultaneously protecting their privacy and identity.

For the first time, Tor Browser users on desktop will be able to opt-in for using onion sites automatically whenever the website makes them available. For years, some websites have invisibly used onion services with alternative services (alt-svc), and this continues to be an excellent choice. Now, there is also an opt-in mechanism available for websites that want their users to know about their onion service that invites them to upgrade their connection via the .onion address.

What is new?

Onion Location

Website publishers now can advertise their onion service to Tor users by adding an HTTP header. When visiting a website that has both an .onion address and Onion Location enabled via Tor Browser, users will be prompted about the onion service version of the site and will be asked to opt-in to upgrade to the onion service on their first use.

If you are a developer, learn how to enable onion-location in your onion service.

Onion Location Propublica

 

Onion Authentication

Onion services administrators who want to add an extra layer of security to their website can now set a pair of keys for access control and authentication. Tor Browser users can save keys and manage them via about:preferences#privacy in the Onion Services Authentication section.

If you are a developer, learn how to secure your onion service using client auth.

Onion Authentication

Improved URL Bar Security Indicators

Browsers traditionally rendered sites delivered via a secure transport protocol with a green lock icon. But in mid-2019, the formerly green lock icon became gray, intending to de-emphasize the default (safe) connection state and, instead, putting more emphasis on broken or insecure connections. Major browsers as Mozilla Firefox and Google Chrome understood that it is a benefit for the entire user base if they deploy familiar experiences for both users. We are following Firefox on this decision, and we have updated Tor Browser security indicators to make it easier for users to understand when they are visiting a non-secure website.

Tor Browser 9.5 URL Bar Update

Error Pages for Onion Services

Sometimes users have a hard time reaching onion sites. In previous versions of Tor Browser, when there was an error connecting to an onion service, users received a standard Firefox error message, with no information about why they were unable to connect to the onion site.

In this release, we have improved the way Tor Browser communicates with users about service-, client-, and network-side errors that might happen when they are trying to visit an onion service. Tor Browser now displays a simplified diagram of the connection and shows where the error occurred. We want these messages to be clear and informative without being overwhelming.

Error Page for Onion Pages

Onion Names

Because of cryptographic protections, onion service URLs are not easy for humans to remember (ie, https://torproject.org vs. http://expyuzz4wqqyqhjn.onion/). This makes it hard for users to discover or return to an onion site. We found that organically, developers have approached this problem in different ways, mostly with solutions tailored for their service. Given that there is no solution that works perfectly for all our user groups, we also approached this problem from a broad angle. For this release, we partnered with Freedom of the Press Foundation (FPF) and the Electronic Frontier Foundation's HTTPS Everywhere to develop the first proof-of-concept human-memorable names for SecureDrop onion services addresses:

Freedom of the Press Foundation has reached out to a small number of additional media organizations for participation, and Tor and FPF will jointly consider next steps based on feedback on this initial proof-of-concept.

Onion Names

 

Known Issues

Tor Browser 9.5 comes with a number of known issues.

Give Feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know. Thanks to all of the teams across Tor, and the many volunteers, who contributed to this release.

Full Changelog

The full changelog since Tor Browser 9.0.10 is:

  • All Platforms
    • Update Firefox to 68.9.0esr
    • Update HTTPS-Everywhere to 2020.5.20
    • Update NoScript to 11.0.26
    • Update Tor to 0.4.3.5
    • Translations update
    • Bug 21549: Disable wasm for now until it is properly audited
    • Bug 27268: Preferences clean-up in Torbutton code
    • Bug 28745: Remove torbutton.js unused code
    • Bug 28746: Remove torbutton isolation and fp prefs sync
    • Bug 30237: Control port module improvements for v3 client authentication
    • Bug 30786: Add th locale
    • Bug 30787: Add lt locale
    • Bug 30788: Add ms locale
    • Bug 30851: Move default preferences to 000-tor-browser.js
    • Bug 30888: move torbutton_util.js to modules/utils.js
    • Bug 31134: Govern graphite again by security settings
    • Bug 31395: Remove inline script in aboutTor.xhtml
    • Bug 31499: Update libevent to 2.1.11-stable
      • Bug 33877: Disable Samples and Regression tests For Libevent Build
    • Bug 31573: Catch SessionStore.jsm exception
    • Bug 32318: Backport Mozilla's fix for bug 1534339
    • Bug 32414: Make Services.search.addEngine obey FPI
    • Bug 32493: Disable MOZ_SERVICES_HEALTHREPORT
    • Bug 32618: Backport fixes from Mozilla bugs 1467970 and 1590526
    • Bug 33342: Avoid disconnect search addon error after removal
    • Bug 33726: Fix patch for #23247: Communicating security expectations for .onion
    • Bug 34157: Backport fix for Mozilla Bug 1511941
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.21.8
      • Translations update
      • Bug 19757: Support on-disk storage of v3 client auth keys
      • Bug 30237: Add v3 onion services client authentication prompt
      • Bug 30786: Add th locale
      • Bug 30787: Add lt locale
      • Bug 30788: Add ms locale
      • Bug 33514: non-en-US Tor Browser 9.5a6 won't start up
    • Bug 19251: Show improved error pages for onion service errors
    • Bug 19757: Support on-disk storage of v3 client auth keys
    • Bug 21952: Implement Onion-Location
    • Bug 27604: Fix broken Tor Browser after moving it to a different directory
    • Bug 28005: Implement .onion alias urlbar rewrites
    • Bug 30237: Improve TBB UI of hidden service client authorization
    • Bug 32076: Upgrade to goptlib v1.1.0
    • Bug 32220: Improve the letterboxing experience
    • Bug 32418: Allow updates to be disabled via an enterprise policy.
    • Bug 32470: Backport fix for bug 1590538
    • Bug 32645: Update URL bar onion indicators
    • Bug 32658: Create a new MAR signing key
    • Bug 32674: Point the about:tor "Get involved" link to the community portal
    • Bug 32767: Remove Disconnect search
    • Bug 33698: Update "About Tor Browser" links in Tor Browser
    • Bug 33707: Swap out onion icon in circuit display with new one
    • Bug 34032: Use Securedrop's Official https-everywhere ruleset
    • Bug 34196: Update site info URL with the onion name
    • Bug 34321: Add Learn More onboarding item
  • Windows
    • Bug 22919: Improve the random number generator for the boundaries in multipart/form-data
    • Bug 29614: Use SHA-256 algorithm for Windows timestamping
    • Bug 33113: Bump NSIS version to 3.05
  • OS X
    • Bug 32505: Tighten our rules in our entitlements file for macOS
  • Linux
    • Bug 27903: Tor Browser 8 does not respect gtk3 settings
    • Bug 34315: Avoid reading policies from /etc/firefox on Linux
  • Android
    • Bug 26529: Notify user about possible proxy-bypass before opening external app
    • Bug 30767: Custom obfs4 bridge does not work on Tor Browser for Android
    • Bug 32303: Obfs4 is broken on Android Q
    • Bug 33359: Use latest Version of TOPL and Remove Patches
    • Bug 33931: obfs4 bridges are used instead of meek if meek is selected in Tor Browser for Android alpha
  • Build System
    • All Platforms
      • Update Go to 1.13.11
      • Bug 33380: Add *.json to sha256sums-unsigned-build.txt
    • Windows
      • Bug 33802: --enable-secure-api is not supported anymore in mingw-w64
    • Linux
    • Android
      • Bug 28765: LibEvent Build for Android
      • Bug 28766: Tor Build for Android
      • Bug 28803: Integrate building Pluggable Transports for Android
      • Bug 30461: Clean up tor-android-service project
      • Bug 32993: Package Tor With Tor Android Service Project
      • Bug 33685: Add Support for Building zlib for Android

Like I said nothing happens. Possibly could be because I have set StrictNodes 1. I would expect some notification to popup to show the onion and ask permission to connect, but nothing. The pink .onion available button just disappears? I think there may of been some popup that flashed the first time but nothing now, could of been imagining that though! Could you please tell me what the css modifier is so I can hide/or color the button?

While on the subject. I think it would be a good idea to have error pages for such settings often I just get the timed-out error page, which doesn't explain anything. Thank you.

The behavior you are describing is very strange. I agree we should provide a message and/or error if there is a failure of some kind. "StrictNodes 1" should not result in this behavior, because you should receive an error page saying the website could not be loaded (instead of failing silently).

I opened a ticket for this: https://trac.torproject.org/projects/tor/ticket/34395

The css patch is:
https://gitweb.torproject.org/tor-browser.git/diff/browser/components/o…

I figured out the problem. After clicking the button that disappears, if I change tabs, the button reappears. Upon clicking it the second time the message "Tor Browser prevented this page from automatically redirecting to another page." appears. Due to having "accessibility.blockautorefresh;true" set, with this as false it automatically redirects, though there is no popup to verify the redirection, which is the kind of reason why I have this set. Clicking allow then tries to load the onion, though as usual for me it just endlessly loads then times out.

zoobab

June 08, 2020

Permalink

The .onion redirector doesn't really work, Tor Browser is stopping autoredirects and I need to click "Allow" in the top bar to make it work...

zoobab

June 08, 2020

Permalink

I've tried to bring in Tor several times . Costing me almost 200 MB each time just to find out that once again it won't work for one reason or another . Is Tor being blocked ? Am I doing something wrong ? Is it just another of the many scams I encounter in a day ? An inquiring mind wants to know but can't find out . I know nothing about the net or web or whatever . I do know I'm being blocked / cenceored by a virus riding on chrome and can do nothing about it . Screw it . Good by .

We may respond, but we don't have any useful information. The Tor Project does not collect/log IP addresses for websites hosted on our webservers. Similarly, the Tor network is run by volunteers, so The Tor Project doesn't have access to users' IP addresses connecting to relays in the network.

Do you have Javascript completely disabled? In recent Tor Browser versions, on the "Safest" security level, Javascript is disabled within the entire browser. You can re-enable it by opening "about:config", search for "javascript.enabled" and toggle the preference to "true". Please see the announcement on the Tor Browser 9.0.7 blog post: https://blog.torproject.org/new-release-tor-browser-907

zoobab

June 09, 2020

Permalink

Three problems:

1) Can't get past CAPCHA logging in on bugs.torproject.org with TOR Browser. No CAPCHA logging in with Firefox. The irony!

2) Can't submit new bug to the bug tracker because my login's not authenticated.

3) I wish to register a complaint about the "cousine" monospace font used by the Tor Browser. (Firefox uses DejaVu Sans Mono.) To wit: The "box drawing" characters aren't monospace.

Try this on YOUR browser:

╔═══════════════════════════════╗
║ INDEX ║◀━━━
║ ║
║ ┏━━━┓ ┏━━━┓ ║
║ ┃ < ┃ ┃ > ┃ ║
║ ┗━━━┛ ┗━━━┛ ║
║ TabUp TabDn ║
║ ┏━━━┓ ║
┏━━━━━━━━━━━━━━┫ ▶ ┃ ║
┃ ║ ┗━━━┛ ║
┃ ║ Start ║
┃ ║ ║
┃ ║ ║
┃ ╚═══════════════════════════════╝



┃ ╔═══════════════════════════════╗
┗━━━▶║ SLIDE ║◀━━━
║ ║
║ ┏━━━┓ ┏━━━┓ ║
║ ┃ < ┃ ┃ > ┃ ║
║ ┗━━━┛ ┗━━━┛ ║
║ Prev Next ║
║ ┏━━━┓ ┏━━━┓ ║
┏━━━━━━━━━━━━━━┫ ▶ ┃ ┃ ┃ ║◀━━━
┃ ║ ┗━━━┛ ┗━━━┛ ║
┃ ║ Play Blank ║
┃ ║ ┃ ║
┃ ║ ┃ ║
┃ ╚═══════════════════┃═══════════╝
┃ ┃
┃ ┃
┃ ┗━━━━━━━━━━━━━━━━

┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

zoobab

June 10, 2020

Permalink

Is it by desin that the in the new version, noscript remembers the site settigs if "overide tor browsers security level preset" is checked?
I remember it being mentioned in an earlyer discussion that saving noscript settings is (was?) considered a security risk?

I have seen this too on tbb9.5 and older. Some sites like forum and others.
Onion is something, i think, with cloudflare. Endless hops with "Alternate Service Mapping", i don't remember setting in about:config, on(=default).
Message is about network-observer.js.

zoobab

June 11, 2020

Permalink

1) it's difficult to locate your 'Feedback' link
2) your 'Update' process says: " Restart to Update Tor' " which is so confusing!! 'Restart WHAT ??? .. restart Win10 ??? restart the Tor browser ?? Each possibility can result in MAJOR problems !! so: ASK US DIRECTLY ! : "' Restart TOR ....." .... "Restarting Windows can be a LONG and frustrating exjperience !!" ( 15 mins on my huge system !! ) !!

Thanks for the feedback. This is a good place for it. We can improve this update experience if the interface doesn't make clear the "Restart to update Tor Browser" message is a button that restarts the browser (not the computer).

zoobab

June 11, 2020

Permalink

Just a nitpick, but in future I would appreciate if you didn't include screen captures with subjects such as politics. If I wanted to read that propaganda, I would visit the websites myself. Thank you.

NoScript provides protections in addition to filtering javascript, therefore you are better enabling the Safest security level which includes settings javascript.enabled to false and other protections.

zoobab

June 12, 2020

Permalink

Is the "onion site available" feature supposed to work on android too? I tried torproject.org and EFF.org and I'm not seeing any indication.

zoobab

June 13, 2020

Permalink

Scary red screen + 'Something went wrong!'

How does Tor Browser know that something went wrong?

A check at check.torproject.org reveals: Congratulations. This browser is configured to use Tor.

So the two official statements would seem to contradict each other. Did something go wrong or not? Also, why is Tor making this check on browser start? Is Tor Browser sending connection information to a server somewhere we should know about?

There are four questions asked in this comment. Thanks for playing.

zoobab

June 13, 2020

Permalink

[Moderators: why does the Outreachy post forbid user comments?]

Google funding always makes me nervous because that company's business goals typically seem oppositional to the cybersecurity and privacy needs of Tor users. That said, I am particularly happy to see this:

> Nicolei Ocana - Introduction
> Project: Help Tor Project support our users
> Mentor: Gus
>
> This project will help us to support our users and ensure that they receive and can find the most up to date information on using our products.

Off the top of my head:

o Probably the simplest and easiest positive step would be a regular Friday post in which Tor users are allowed to post observations, questions ("is the following evidence of an attack or a bug or just me not doing it right?") and concerns not neccessarily related to anything TP has posted recently; if NO could do that he might get some good ideas about the rest of his work at TP,

o NO should not assume everyone has fast internet, a smart phone, email, access to international electronic payments etc--- many potential users who badly need Tor do not live in places where such things are easy for poor people to obtain,

o Tor documentation still needs massive reworking (i) all pages should have date of last update (ii) smaller images so faster loading time for users w slow internet (iii) Community Portal needs to be updated to take account of COVID-19 lockdowns (iv) prompt reporting of evidence of novel attacks on Tor users esp by state-sponsored attackers who hire cyberware as a service companies like NSO Group (v) help desk for those setting up and using onion sites (aimed at small newspapers and small NGOs) (vi) clearer description of how to report bugs or possible cybersecurity issues to TP (vii) some job descr in TP needs to include tracking all of these things to make sure they get done (tickets perhaps?),

o Posts by TP researchers/coders are all too rare and I have been begging for years for (i) an authoritative overview of how cryptology is used in Tor and how TP is preparing for practical easily deployed quantum cryptanalysis, (ii) review of other possible attacks exploiting flaws in pseudorandom number generators, flaws in clock sync, on-by-default built in microphones, known close access attacks (e.g. "stray emanations" from devices and peripherals"), etc. (iii) comparison of i2p (for example) to Tor circuits, (iv) best guess of risks in using/operating onion sites, (v) most interesting new ideas from the privacy research literature, (vi) node diversity (e.g. once again a single large family appears to carry at least 1/3 of Tor exit node traffic--- that's too much potential surveillance power for anyone to have--- what if USG somehow takes control of that family?)

o I'd love to see TP working more closely with Signal and i2p in particular; these technologies seem very different from Tor but with creativity perhaps they can be combined so that 1+1=10,

o I'd love to see more explicitly political work by TP, e.g. working with ACLU, EFF, Privacy International, RU and CN groups to try to pressure political leaders to allow more freedom (obviously very challenging task in RU, CN, US, UK but for sure things will only get worse if we do not fight back in the political as well as the technical arena).

If the blog post does not allow comments, then that is because the author wasn't looking for feedback. I don't understand why receiving funding from Google should make you nervous, how Tor uses the funding is what matters.

On that topic, Tor barely has enough resources (person-time, funding, know-how) for keeping everything working as well as possible. Nearly everything you ask is only possible if Tor doubles in size (in nearly every way), until then this will remain a wishlist (so we can concentrate on keeping this ship floating and moving in the right direction at a reasonable speed).

"I don't understand why receiving funding from Google should make you nervous, how Tor uses the funding is what matters."

If you don't understand why, then you need to retake Ethics 101 without cheating.

Newhire quality at TorHQ seems a bit lacking these days.

zoobab

June 15, 2020

Permalink

Sorry to be off topic, but since I just figured that trac.torproject.org went read-only, will your gitlab instance open to the public for bug reporting/contributing any time soon?

Yes, "soon". This is being worked on, but gitlab is a very different beast from trac, so some functionality won't be like-for-like. New accounts will be created as needed beginning in the near future, but finding a replacement for the cypherpunks account is still an open problem.

zoobab

June 16, 2020

Permalink

Since 9.0 release it's not possible anymore to use TBB without Tor. Before that I'd use a separate manually "un-tored" bundle for situations where I need to connect without Tor while still benefiting from TB's browser patches. For example, I don't want to login into certain non-anonymous accounts over Tor when there's no benefit and could even cause problems of various kinds.

I wish this was still possible, I don't want to give up all your wonderful browser patches just to connect without Tor.

I know there exists SecBrowser developed by Whonix, but it's not available as a downloadable bundle, you can install it only on Debian. I'm not sure even SecBrowser works anymore though, since it relies on user.js and TBB (since 9.0) overwrites those tor-releated user.js preferences back to defaults. Manually setting those preferences in about:config doesn't work either, anyway.

I hope someone is willing to look into this, even though it's a non-standard use of TBB.

zoobab

June 16, 2020

Permalink

Suggestion: I think it would help making the user more annonymous if the Tor Browser would natively support user agent spoofing as that of anti-fingerprinting feature....