New Release: Tor Browser 9.5a2

Tor Browser 9.5a2 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This new alpha release contains various bug fixes and improvements. Among them, we improved the letterboxing experience. Additionally, we added a banner on the starting page for our fundraising campaign Take Back the Internet with Tor.

Known Issue

As with the stable release, we currently have a reproducible build issue. We recently made some progress on the issue and are getting closer to having a fix.

The full changelog since Tor Browser 9.5a1 is:

  • All Platforms
    • Update NoScript to 11.0.7
      • Bug 21004: Don't block JavaScript on onion services on medium security
      • Bug 27307: NoScript marks HTTP onions as not secure
    • Bug 30783: Fundraising banner for EOY 2019 campain
    • Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
    • Bug 32318: Backport Mozilla's fix for bug 1534339
    • Bug 32250: Backport enhanced letterboxing support (bug 1546832 and 1556017)
    • Bug 31573: Catch SessionStore.jsm exception
    • Bug 27268: Preferences clean-up
  • Windows + OS X + Linux
    • Update Tor to
    • Update Tor Launcher to
      • Bug 32164: Trim each received log line from tor
      • Translations update
    • Bug 31803: Replaced about:debugging logo with flat version
    • Bug 31764: Fix for error when navigating via 'Paste and go'
    • Bug 32169: Fix TB9 Wikipedia address bar search
    • Bug 32210: Hide the tor pane when using a system tor
    • Bug 31658: Use builtin --panel-disabled-color for security level text
    • Bug 32188: Fix localization on about:preferences#tor
    • Bug 32184: Red dot is shown while downloading an update
    • Bug 27604: Fix broken Tor Browser after moving it to a different directory
    • Bug 32220: Improve the letterboxing experience
    • Bug 30683: Backport upstreamed fix from Mozilla (bug 1581537)
  • Android
    • Bug 32342: Crash when changing the browser locale
    • Bug 32303: Obfs4 is broken on Android Q
  • Build System
    • All Platforms
    • Android
      • Bug 28803: Integrate building Pluggable Transports for Android

November 12, 2019


Public-Key-Pins: An unknown error occurred processing the header specified by the site. en-US

The most annoying error is still:
[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.removeSheetUsingURIString]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource://gre/modules/ExtensionCommon.jsm :: runSafeSyncWithoutClone :: line 75" data: no] 7 ExtensionCommon.jsm:75:12
runSafeSyncWithoutClone resource://gre/modules/ExtensionCommon.jsm:75
cleanup resource://gre/modules/ExtensionContent.jsm:403
close resource://gre/modules/ExtensionContent.jsm:913
destroyed resource://gre/modules/ExtensionContent.jsm:998
observe resource://gre/modules/ExtensionContent.jsm:1016

Pictures are still not loading on some sites.

fucking cloudflare again

Thanks for your hard work!

A long-standing wish: it would help if your GPG signature filenames ended in '.sig' instead of the current '.asc'.
Some gpg linux software (like KGpg) is associated with '.sig', so clicking on the files in file manager nicely performs the verification.
In contrast, when your '.asc' files are clicked, it always causes the prompt to provide a new name to overwrite the files.

Thanks to the Tails devs for already using '.sig' and thus avoiding this annoyance!

There is a ticket open for changing Firefox's behavior when a .asc is requested. I agree it is annoying that the world uses two different file extensions for the same type of file, but gpg produces .asc files by default - it seems silly that other PGP/GPG tools do not handle that correctly. On the other hand, .sig is more explicit about what the file contains (a signature), instead of some-ascii-armored textblob.

I opened a ticket for this -

L'antivirus, al download, dice che Tor potrebbe danneggiare il mio PC.

quale antivirus usi?

My letter box is 1cm each side but 3 cm at bottom of screen. Means I lose lot of screnn! any way to change this setting manually? I dont like it too big.

Is that the default configuration? You see letterboxing when you start the browser? Did you customize the browser? Did you add a toolbar, like the bookmarks bar?

Yes default. I didn;t touch any thing new. Only make the browser full size on screen by click box in top corner.

> Yes default. I didn;t touch any thing new. Only make the browser full size on screen by click box in top corner.

"full size" (called "maximizing the window") is not the default when you start the browser. sysrqb was asking about the state of the window when you first open Tor Browser or after you start a "new identity" by clicking the broom icon. The letterbox frame is intended to appear when you resize from that initial size such as when you maximize the window. It is not intended to appear on the default state of the window when you first open Tor Browser or after you start a new identity.

That's probably because it's desktop, and the toolbar is showing, see and the toolbar icons cause the height to be 1 to 5 pixels short, causing a LB close to 100px (now all at the bottom)

I will check and report back. Si, it desktop (Windows 10, ASUS laptop) but didnt happen before. I have no toolbar showing. TBB stable not do. TBB alpha was ok before 9.5a2 for me. Sorry to be pain in ass, I love your TBB and Tails friends and gracias for all help every day.

Are there any plans for an Anti-DDoS functionality in Tor and Tor-Browser?

This could be done by requiring proof of work every N requests/minutes to be able to access an .onion site (see hashcash). Doing this via JS is not really an option because many people disable it for security reasons.

If not, please consider this for an upcoming version. Many websites suffer from DDoS and I think this could be an effective solution to the problem.

torbirdy fix would be a good start

opening about:preferences#privacy from the security toolbar button leads to adding about:preferences#tor items at the end of about:preferences#privacy

Handler function threw an exception: [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsICacheInfoChannel.isRacing]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource://devtools/server/actors/network-monitor/network-response-listener.js :: NetworkResponseListener.prototype._getSecurityInfo< :: line 334" data: no]
Stack: NetworkResponseListener.prototype._getSecurityInfo<@resource://devtools/server/actors/network-monitor/network-response-listener.js:334:26
Line: 334, column: 0 2 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:117
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

still some FPI leaks:
[11-17 09:06:49] Torbutton INFO: tor SOCKS: via

New Browser Console is outstanding in its CPU usage and freezes the entire browser:
Script: resource://devtools/client/webconsole/reducers/messages.js:1341
Script: resource://devtools/client/webconsole/components/ConsoleOutput.js:150

NoScript is still fucking computers with thousands of:
[11-17 10:59:15] Torbutton INFO: controlPort >> 650 STREAM 26704 CLOSED 133 cflarenuttlfuyn7imozr4atzvfbiw3ezgbdjdldmdx7srterayaozid.onion:443 REASON=DONE

just do it

Tor browser android version 9.*.* cache is not cleared by standard methods in online mode. Cleaning is possible only after closing the program. Each time after authorization it is necessary to close the program and start again. Can you fix it so that the full cache cleanup works online? Or is it impossible to fix?

HTTPS Everywhere Options in about:addons

TypeError: chromeWin.gBrowserInit is undefined ext-webNavigation.js:140:1

Thank you for fixing the wiki search bar issue. I thought it was just me.

But, isn't the window size supposed to be a configured size due to fingerprinting concerns? Mine does not seem to be, & I wasn't sure if that was no longer a concern.

Please disregard my previous comment regarding window size. It seems to work now... weird. I didn't change anything, but it didn't seem to work on one page, but did on another.

Which page? Are you using Tor Browser 9.5a2? If letterboxing is enabled, which it is by default, window size does not contribute to fingerprinting as much as it does without letterboxing. You should see bars or margins of blank space around the edges the web page display area. If your first try was in a window whose size you changed, then your description is normal behavior. But if your first and second tries were in a window of the same size, you may have found a bug that you should provide more information about.

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
when it should be
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0

This ticket is still open, the proposed patches have not been merged yet.

aaand? it doesn't mean you can violate the spec.

Which spec are you talking about, and how are we violating it?

You don't know specs for UA o_0
You are not allowed to report mix of arches.

> You don't know specs for UA o_0
> You are not allowed to report mix of arches.

We're allowed to do anything we want. I'll just let tom explain it

"RFP violates web standards all over the place actually. We explicitly do so in the name of user intervention - the user has opted into a mode that has reduced compatibility on the web and breaks some features but provides greater privacy. At some point in the future it would be wonderful if RFP and Web Standards converged again - but it's going to have to be Web Standards that come to meet RFP - not the other way around"


you don't understand what you're talking about.

This ticket is not for RFP!

Are you seeing this in Tor Browser or Firefox?

Tor Browser with js reports
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
without js
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
fix this nonsense!

somebody smart decreased the number of connections to Trac so that TBB is loading some tabs forever :(

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

7 + 6 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.