New Release: Tor Browser 9.5a3

by boklm | December 4, 2019

Tor Browser 9.5a3 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

This new alpha release picks up security fixes for Firefox 68.3.0esr and updates our external extensions (NoScript and HTTPS Everywhere) to their latest versions. Among other things, we made some cleanups in torbutton and fixed localization in the Android bundles. We also add three new locales: lt (Lithuanian), ms (Maylay), and th (Thai). Please help us test those new locales if you speak those languages.

Reproducible Builds

The issue with reproducible builds mentioned in the 9.0.1 blog post is still present in this release. However, we made progress on understanding the issue and are getting closer to a fix.

ChangeLog

The full changelog since Tor Browser 9.5a2 is:

  • All Platforms
    • Update Firefox to 68.3.0esr
    • Bump NoScript to 11.0.9
      • Bug 32362: NoScript TRUSTED setting doesn't work
      • Bug 32429: Issues with about:blank and NoScript on .onion sites
    • Update HTTPS Everywhere to 2019.11.7
    • Bug 32618: Backport fixes from Mozilla bugs 1467970 and 1590526
    • Bug 32606: Set up default bridge at Georgetown University
    • Bug 30787: Add lt locale
    • Bug 30788: Add ms locale
    • Bug 30786: Add th locale
    • Translations update
    • Bug 28746: Remove torbutton isolation and fp prefs sync
    • Bug 28745: Assume always running in Tor Browser
    • Bug 30888: move torbutton_util.js to modules/utils.js
    • Bug 30851: Move default preferences to 000-tor-browser.js
    • Bug 28745: Remove torbutton.js unused code
    • Bug 32255: Missing ORIGIN header breaks CORS
  • Windows + OS X + Linux
    • Update Tor to 0.4.2.4-rc
    • Update Tor Launcher to 0.2.20.3
    • Bug 30237: Improve TBB UI of hidden service client authorization
  • Android
    • Bug 32365: Localization is broken in Tor Browser 9 on Android
    • Bug 32405: Crash immediately after bootstrap on Android
  • OS X
    • Bug 32505: Tighten our rules in our entitlements file for macOS
  • Windows
    • Bug 32616: Disable GetSecureOutputDirectoryPath() functionality

Comments

Please note that the comment area below has been archived.

December 07, 2019

Permalink

I think I have a very interesting point to make... currently tor circuit chooses a fixed first server "guard" that doesn't change often (because of some sort of attack if I recall correctly).

I would like to see a option to allow also a: "FIXED GUARD EXIT" (probably adding one additional hop server in the connection loop will be need to have some additional protection).

Why? Many, many web sites simply don't work, even if they don't try to block Onion ("Tor") because they use sometimes multiple URL's and require captchas (ex.: download web sites) and they associate the correct resolution of the captchas to the IP, but since the onion ("Tor") creates a different IP for each URL makes it impossible to use many web sites. Also many web sites don't have captchas but if one logs in and the IP changes during the session they will log out the user for security reasons... in Tor Browser these can happen a lot!

Because always exiting on the same IP may help identify someone it should be some special group tab session or something like that, so that the user absolutely knows it is using a fixed IP at the exit point, and that should have a permanent warning informing that, informing that it should only be used on web sites that don't work properly in the normal "Tor Browser" session. The special group tab should allow opening of new windows using the same exit point IP address since I've notice web sites doing that on the past where they will open a new URL in new windows/ tabs with the thing that the user wants after successfully solving captchas/ seeing the publicity... but the new URL will NEVER work because the IP's don't match... and the same to see images where one can't grab them because the servers see different IP's (they have one URL to display and other to host the images) and don't allow the download.

I hope you can add these to help make Tor Browser more useful.

December 08, 2019

Permalink

I found that the conformation dont come through after you sign up ?
Is this a problem or is it just delayed ?

December 09, 2019

Permalink

Noscript blue pop-up to allow media applies permanent custom per-site permissions in noscript options. These permissions persist after new identity and closing browser. I expected new identity or closing browser to revert blue pop-up. I understand that noscript options applied manually are supposed to persist, but I was not expecting blue permissions to persist because the pop-up is exposed to users whether or not noscript icon is hidden. Are blue pop-up permissions intended to persist?

Permissions can be reverted manually in noscript options or by changing security level.

December 10, 2019

Permalink

TypeError: controller is null textbox.js:230:7
doCommand chrome://global/content/elements/textbox.js:230
_initUI chrome://global/content/elements/textbox.js:110

December 11, 2019

Permalink

Switching svg.disabled to false breaks NoScript's per-site settings and change everything from Safest to Safer level! That's not what I want!

December 16, 2019

Permalink

I'm pressing 'New Circuit for this Site' continuously, and the guard changes randomly between the two relays: one in Germany and one in France. What's going on?