New Release: Tor Browser 9.5a4

Tor Browser 9.5a4 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

This new alpha release picks up security fixes for Firefox 68.4.0esr and 68.4.1esr. In addition, this release updates the bundled NoScript extension to its latest version.

Reproducible Builds

The issue with reproducible builds mentioned in the 9.0.1 blog post is now resolved in this release.

ChangeLog

The full changelog since Tor Browser 9.5a3 is:

  • All Platforms
    • Update Firefox to 68.4.1esr
    • Bump NoScript to 11.0.11
    • Translations update
    • Update OpenPGP keyring
    • Bug 31134: Govern graphite again by security settings
    • Bug 31855: Remove End of Year Fundraising Campaign from about:tor
    • Bug 32053: Fix LLVM reproducibility issues
    • Bug 32547: Add new default bridge at UMN
    • Bug 32659: Remove IPv6 address of default bridge
  • Windows + OS X + Linux
    • Update Tor to 0.4.2.5
    • Update Tor Launcher to 0.2.21
      • Bug 32636: Clean up locales shipped with Tor Launcher
      • Translations update
    • Bug 32674: Point the about:tor "Get involved" link to the community portal
  • Build System
    • All Platforms
    • Linux
      • Bug 32676: Create a tarball with all Linux x86_64 language packs
Mateus

January 11, 2020

Permalink

> In addition, this release updates the bundled NoScript extensions to its latest version.
Not sure how many extensions you have, but this release downgrades NoScript from 11.0.12 to 11.0.11...

That is unfortunate. There is only one NoScript extension, but I see version 11.0.12 was released within the last few days. The Tor Browser release was frozen earlier in the week. Tor Browser should automatically upgrade NoScript to version 11.0.12 (again).

Mateus

January 11, 2020

Permalink

browser.display.document_color_use is still broken, and does not honor '2' the way ESR does.
IE, "colors" dialog page still broken.

Mateus

January 11, 2020

Permalink

Please, stop shipping Windows Components (d3dcompiler_47.dll) with your bundle.

Mateus

January 13, 2020

In reply to by boklm

Permalink

For many different reasons... (each version of windows has its own version of that component, it is not recommended to ship windows components, you have to maintain it, etc)

See how MS handles it:
• All updates for .NET Framework 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, and 4.6 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see KB 4019990.
https://support.microsoft.com/en-us/help/4535102/kb4535102

Mateus

January 11, 2020

Permalink

> Bug 32676: Create a tarball with all Linux x86_64 language packs 68.3.0esr
68.3.0esr?

The alpha releases include new changes that have been less tested. Those changes are usually improvements, but they can sometime cause unexpected issues.

In case of critical security issue, we fix the stable release in priority.

Also, there are many stable release users, but only a small number of alpha users. So you are part of a larger group when using the stable release.

If security and anonymity is critical to you, you should stay on the stable release. If you want to see the new changes in advance, and help test them, you should use the alpha.

Mateus

January 12, 2020

Permalink

Does anyone else notice that seemingly NoScript releases its new version shortly after the TorBrowser comes out?

Knowing that the TB users will get this update directly from the 3rd party (George) and automatically - without the Tor developer review process - is a concern.
Hope I'm wrong, but it looks like NoScript likes immediately overwriting some anonymity sanitizing that the Tor people configure in NoScript that ships in the TB bundle. Anyone to review?

Even if not, this fore-trusted add-on updating for such a critical plug-in seems to be a security loophole.
Consider disabling the No-Script auto-updating (just release new TB with the updated NoScript). Or make replacing it with an in-house solution a higher priority?

It's great to see someone else has reopened this issue, but...
This ticket has been open for 6 years!!?
Even the slightest chance of a subversion - is not that kind of critical?
Hope the programmers out there get a signal of urgency and step out to help.
Thanks to all who can.

This is pro-privacy proposal:
Intent to Deprecate and Freeze: The User-Agent string
Summary

We want to freeze and unify (but not remove) the User Agent string in HTTP requests as well as in `navigator.userAgent`

Motivation

The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.

Mateus

January 16, 2020

Permalink

When I installed Tor, at the beginning the last hop of the e-mail rout was:
WhoIs 81.17.27.133? MailHops API Info Location: TZ: Europe/Zurich, , Switzerland Host:
now is mysteriously changed compromising the system because it appears:
WhoIs 109.70.100.20? MailHops API Info Location: Vienna, Austria, Austria Host: tor-exit-anonymizer.appliedprivacy.net
Do you have any advice to restore the previous settings, please?

Mateus

January 17, 2020

Permalink

Ich kann machen was ich will es gibt keine Verbindung zum möglichen Horst auch alle Kontakte zur Webseite sind unterbrochen und werden mit unsicher und veraltete Sicherheitsbestimmungen geblockt!

Mateus

January 17, 2020

Permalink

Keine Verbindung mehr möglich alles wird mit veraltete Sicherheits Bestimmumgen begründet

Mateus

January 18, 2020

Permalink

Keine Verbindung von einen Tag auf den anderen hier aus deutschland mehr möglich möglich alle Möglichkeiten wurden ausgeschöpft

Mateus

January 18, 2020

Permalink

links not working correctly

.onion links sometimes don't work. It's like refreshing the page but it works the second time.
and please add more video file types. Some videos does not load when I try to.

Mateus

January 22, 2020

Permalink

I hv been using the 9.04 and the alpha build for pc.

Before the update to 9.04, TOR Network work really fast from Indonesia using obs4 or meek.

But now after 9.04 update, the network become so slow. Loading a search result from DDG took about 3min.

I try using meek and it fail to connect. When I dont use bridge, it also become more slow. Checking from the log, I just aware Indonesia only have 3 to 4 bridge available.

In the alpha build, the snowflake bridge also failed to connect.

When I try android version, it also took same response.Trying different website and it also slow.

Now back to pc version:
Looking in the hop list, I aware that my final hop always been changing itself every 4sec.

Something seems wrong in bridge network of TOR. Some website also ask my age, seems like the cookies never saved.

Mateus

January 23, 2020

Permalink

I use requested bridge from TOR. Allow firewall & turn off controlled access folder.
But TOR still slow loading media (pictures and video).
It even slow loading media from TORproject.org.
The only it fast loading image is from duckduckgo.

Mateus

January 24, 2020

Permalink

> Update OpenPGP keyring

What does this mean exactly? Will your keys I saved no longer verify your files I download? Do I have to accept the key from "--locate-keys" as the only source and can't corroborate it?

The Tor Browser build process involves downloading components from various places, which we verify using gpg. This line in the changelog is about updating one the gpg keyring we use for that. Actually I think it should have been in the "Build System" part.

Mateus

January 25, 2020

Permalink

First, THANKS for all your work TBB Developers!!!

Clicking on the (i) Icon next to the URL bar I can't see the circuits anymore. Why is that?
All I see is "Connection" and "Permissions" ....
Tor Browser is tor-browser-linux64-9.5a4_en-US.tar.xz in Whonix-Workstation.

I'm sorry I didn't get back to you sooner.
Your are right! Tested TBB (9.0.4 and 9.5a4) on my "normal" Fedora Workstation (non Whonix) - and it works.
It's the first time I gave Whonix a try - and and most likely it has always been so one cannot see the circuits.
Thanks for your anwer! :-)

Mateus

January 26, 2020

Permalink

Thank you for the privacy sweeper. That is exactly what I often use.

The "security level" shield has practically seen only three alternatives to choose from. Why could it not be a drop down menu? Then I could get through with two clicks instead of five now.

The reason to have the security level in the preferences pane is to reinforce the idea that it is being applied to the whole session and not just to a particular tab or window. A drop down menu could give the impression that it applies only to the current tab or window.