New Release: Tor Browser 9.0

by boklm | October 22, 2019

Update [7:30 UTC]: Clarified the amount of locales we support. It's 32 with Tor Browser 9.0.

Update [10:45 UTC]: Added a section about letterboxing.

Tor Browser 9.0 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 9.0 is the first stable release based on Firefox 68 ESR and contains a number of updates to other components as well (including Tor to 0.4.1.6 and OpenSSL to 1.1.1d for desktop versions and Tor to 0.4.1.5 for Android).

In addition to all the needed patch rebasing and toolchain updates, we made big improvements to make Tor Browser work better for you.

We want everyone in the world to be able to enjoy the privacy and freedom online Tor provides, and that's why over the past couple years, we've been working hard to boost our UX and localization efforts, with the biggest gains first visible in Tor Browser 8.0.

In Tor Browser 9.0, we continue to build upon those efforts with sleeker integration and additional localization support.

Goodbye, Onion Button

We want your experience using Tor to be fully integrated within the browser so how you use Tor is more intuitive. That's why now, rather than using the onion button that was in the toolbar, you can see your path through the Tor network and request a New Circuit through the Tor network in [i] on the URL bar.

Tor Browser - circuit display - dark theme

 

Hello, New Identity Button

Tor Browser - Toolbar - New Identity Button

Instead of going into the onion button to request a New Identity, we've made this important feature easier to access by giving it its own button in the toolbar.

Tor Browser - New Identity

You can also request a New Identity, and a New Circuit, from within the [=] menu on the toolbar.

Torbutton and Tor Launcher Integration

Now that both extensions are tightly integrated into Tor Browser, they'll no longer be found on the about:addons page.

Tor Browser - about preferences

We redesigned the bridge and proxy configuration dialogs and include them directly into the browser's preference settings as well.

Rather than being a submenu behind the onion button, Tor Network Settings, including the ability to fetch bridges to bypass censorship where Tor is blocked, are easier to access on about:preferences#tor.

Letterboxing

Tor Browser, in its default mode, is starting with a content window rounded to a multiple of 200px x 100px to prevent fingerprinting the screen dimensions. The strategy here is to put all users in a couple of buckets to make it harder to single them out. That worked until users started to resize their windows (e.g. by maximizing them or going into fullscreen mode). Tor Browser 9 ships with a fingerprinting defense for those scenarios as well, which is called Letterboxing, a technique developed by Mozilla and presented earlier this year. It works by adding white margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.

Better Localization Support

If we want all people around the world to be able to use our software, then we need to make sure it's speaking their language. Since 8.0, Tor Browser has been available in 25 languages, and we added 5 locales more in Tor Browser 8.5. Today, we add support for two additional languages: Macedonian (mk) and Romanian (ro), bringing the number of supported languages to 32.

We also fixed bugs in our previously shipped localized bundles (such as ar and ko).

Many thanks to everyone who helped with these, in particular to our translators.

Known Issue

As usual when preparing Tor Browser releases, we verified that the build is bit-for-bit reproducible. While we managed to get two matching builds, we found that in some occasions the builds differ (we found this happening on the Linux i686 and macOS bundles). We are still investigating the cause of this issue to fix it.

Give Feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know. Thanks to all of the teams across Tor, and the many volunteers, who contributed to this release.

Changelog

The full changelog since Tor Browser 8.5.6 is:

  • All Platforms
    • Update Firefox to 68.2.0esr
    • Bug 31740: Remove some unnecessary RemoteSettings instances
    • Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
    • Bug 28196: about:preferences is not properly translated anymore
    • Bug 19417: Disable asmjs on safer and safest security levels
    • Bug 30463: Explicitly disable MOZ_TELEMETRY_REPORTING
    • Bug 31935: Disable profile downgrade protection
    • Bug 16285: Disable DRM/EME on Android and drop Adobe CDM
    • Bug 31602: Remove Pocket indicators in UI and disable it
    • Bug 31914: Fix eslint linter error
    • Bug 30429: Rebase patches for Firefox 68 ESR
    • Bug 31144: Review network code changes for Firefox 68 ESR
    • Bug 10760: Integrate Torbutton into Tor Browser directly
    • Bug 25856: Remove XUL overlays from Torbutton
    • Bug 31322: Fix about:tor assertion failure debug builds
    • Bug 29430: Add support for meek_lite bridges to bridgeParser
    • Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
    • Bug 30683: Prevent detection of locale via some *.properties
    • Bug 31298: Backport patch for #24056
    • Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
    • Bug 27601: Browser notifications are not working anymore
    • Bug 30845: Make sure internal extensions are enabled
    • Bug 28896: Enable extensions in private browsing by default
    • Bug 31563: Reload search extensions if extensions.enabledScopes has changed
    • Bug 31396: Fix communication with NoScript for security settings
    • Bug 31142: Fix crash of tab and messing with about:newtab
    • Bug 29049: Backport JS Poison Patch
    • Bug 25214: Canvas data extraction on local pdf file should be allowed
    • Bug 30657: Locale is leaked via title of link tag on non-html page
    • Bug 31015: Disabling SVG hides UI icons in extensions
    • Bug 30681: Set security.enterprise_roots.enabled to false
    • Bug 30538: Unable to comment on The Independent Newspaper
    • Bug 31209: View PDF in Tor Browser is fuzzy
    • Translations update
  • Windows + OS X + Linux
    • Update Tor to 0.4.1.6
    • Update OpenSSL to 1.1.1d
      • Bug 31844: OpenSSL 1.1.1d fails to compile for some platforms/architectures
    • Update Tor Launcher to 0.2.20.1
      • Bug 28044: Integrate Tor Launcher into tor-browser
      • Bug 32154: Custom bridge field only allows one line of input
      • Bug 31286: New strings for about:preferences#tor
      • Bug 31303: Do not launch tor in browser toolbox
      • Bug 32112: Fix bad & escaping in translations
      • Bug 31491: Clean up the old meek http helper browser profiles
      • Bug 29197: Remove use of overlays
      • Bug 31300: Modify Tor Launcher so it is compatible with ESR68
      • Bug 31487: Modify moat client code so it is compatible with ESR68
      • Bug 31488: Moat: support a comma-separated list of transports
      • Bug 30468: Add mk locale
      • Bug 30469: Add ro locale
      • Bug 30319: Remove FTE bits
      • Translations update
    • Bug 32092: Fix Tor Browser Support link in preferences
    • Bug 32111: Fixed issue parsing user-provided bridge strings
    • Bug 31749: Fix security level panel spawning events
    • Bug 31920: Fix Security Level panel when its toolbar button moves to overflow
    • Bug 31748+31961: Fix 'Learn More' links in Security Level preferences and panel
    • Bug 28044: Integrate Tor Launcher into tor-browser
    • Bug 31059: Enable Letterboxing
    • Bug 30468: Add mk locale
    • Bug 30469: Add ro locale
    • Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
    • Bug 31251: Security Level button UI polish
    • Bug 31344: Register SecurityLevelPreference's 'unload' callback
    • Bug 31286: Provide network settings on about:preferences#tor
    • Bug 31886: Fix ko bundle bustage
    • Bug 31768: Update onboarding for Tor Browser 9
    • Bug 27511: Add new identity button to toolbar
    • Bug 31778: Support dark-theme for the Circuit Display UI
    • Bug 31910: Replace meek_lite with meek in circuit display
    • Bug 30504: Deal with New Identity related browser console errors
    • Bug 31929: Don't escape DTD entity in ar
    • Bug 31747: Some onboarding UI is always shown in English
    • Bug 32041: Replace = with real hamburguer icon ≡
    • Bug 30304: Browser locale can be obtained via DTD strings
    • Bug 31065: Set network.proxy.allow_hijacking_localhost to true
    • Bug 24653: Merge securityLevel.properties into torbutton.dtd
    • Bug 31164: Set up default bridge at Karlstad University
    • Bug 15563: Disable ServiceWorkers on all platforms
    • Bug 31598: Disable warning on window resize if letterboxing is enabled
    • Bug 31562: Fix circuit display for error pages
    • Bug 31575: Firefox is phoning home during start-up
    • Bug 31491: Clean up the old meek http helper browser profiles
    • Bug 26345: Hide tracking protection UI
    • Bug 31601: Disable recommended extensions again
    • Bug 30662: Don't show Firefox Home when opening new tabs
    • Bug 31457: Disable per-installation profiles
    • Bug 28822: Re-implement desktop onboarding for ESR 68
  • Windows
    • Bug 31942: Re-enable signature check for language packs
    • Bug 29013: Enable stack protection for Firefox on Windows
    • Bug 30800: ftp:// on Windows can be used to leak the system time zone
    • Bug 31547: Back out patch for Mozilla's bug 1574980
    • Bug 31141: Fix typo in font.system.whitelist
    • Bug 30319: Remove FTE bits
  • OS X
    • Bug 30126: Make Tor Browser compatible with macOS 10.15
    • Bug 31607: App menu items stop working on macOS
    • Bug 31955: On macOS avoid throwing inside nonBrowserWindowStartup()
    • Bug 29818: Adapt #13379 patch for 68esr
    • Bug 31464: Meek and moat are broken on macOS 10.9 with Go 1.12
  • Linux
    • Bug 31942: Re-enable signature check for language packs
    • Bug 31646: Update abicheck to require newer libstdc++.so.6
    • Bug 31968: Don't fail if /proc/cpuinfo is not readable
    • Bug 24755: Stop using a heredoc in start-tor-browser
    • Bug 31550: Put curly quotes inside single quotes
    • Bug 31394: Replace "-1" with "−1" in start-tor-browser.desktop
    • Bug 30319: Remove FTE bits
  • Android
    • Update Tor to 0.4.1.5
    • Bug 31010: Rebase mobile patches for Fennec 68
    • Bug 31010: Don't use addTrustedTab() on mobile
    • Bug 30607: Support Tor Browser running on Android Q
    • Bug 31192: Support x86_64 target on Android
    • Bug 30380: Cancel dormant by startup
    • Bug 30943: Show version number on mobile
    • Bug 31720: Enable website suggestions in address bar
    • Bug 31822: Security slider is not really visible on Android anymore
    • Bug 24920: Only create Private tabs in permanent Private Browsing Mode
    • Bug 31730: Revert aarch64-workaround against JIT-related crashes
    • Bug 32097: Fix conflicts in mobile onboarding while rebasing to 68.2.0esr
  • Build System
    • All Platforms
      • Bug 30585: Provide standalone clang 8 project across all platforms
      • Bug 30376: Use Rust 1.34 for Tor Browser 9
      • Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
      • Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
        • Bug 31621: Fix node bug that makes large writes to stdout fail
      • Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
      • Bug 31293: Make sure the lo interface inside the containers is up
      • Bug 27493: Clean up mozconfig options
      • Bug 31308: Sync mozconfig files used in tor-browser over to tor-browser-build for esr68
    • Windows
      • Bug 29307: Use Stretch for cross-compiling for Windows
      • Bug 29731: Remove faketime for Windows builds
      • Bug 30322: Windows toolchain update for Firefox 68 ESR
        • Bug 28716: Create mingw-w64-clang toolchain
        • Bug 28238: Adapt firefox and fxc2 projects for Windows builds
        • Bug 28716: Optionally omit timestamp in PE header
        • Bug 31567: NS_tsnprintf() does not handle %s correctly on Windows
        • Bug 31458: Revert patch for #27503 and bump mingw-w64 revision used
      • Bug 9898: Provide clean fix for strcmpi issue in NSPR
      • Bug 29013: Enable stack protection support for Firefox on Windows
      • Bug 30384: Use 64bit containers to build 32bit Windows Tor Browser
      • Bug 31538: Windows bundles based on ESR 68 are not built reproducibly
      • Bug 31584: Clean up mingw-w64 project
      • Bug 31596: Bump mingw-w64 version to pick up fix for #31567
      • Bug 29187: Bump NSIS version to 3.04
      • Bug 31732: Windows nightly builds are busted due to mingw-w64 commit bump
      • Bug 29319: Remove FTE support for Windows
    • OS X
      • Bug 30323: MacOS toolchain update for Firefox 68 ESR
      • Bug 31467: Switch to clang for cctools project
      • Bug 31465: Adapt tor-browser-build projects for macOS notarization
    • Linux
      • Bug 31448: gold and lld break linking 32bit Linux bundles
      • Bug 31618: Linux32 builds of Tor Browser 9.0a6 are not matching
      • Bug 31450: Still use GCC for our ASan builds
      • Bug 30321: Linux toolchain update for Firefox ESR 68
        • Bug 30736: Install yasm from wheezy-backports
        • Bug 31447: Don't install Python just for Mach
      • Bug 30448: Strip Browser/gtk2/libmozgtk.so
    • Android
      • Bug 30324: Android toolchain update for Fennec 68
        • Bug 31173: Update android-toolchain project to match Firefox
        • Bug 31389: Update Android Firefox to build with Clang
        • Bug 31388: Update Rust project for Android
        • Bug 30665: Get Firefox 68 ESR working with latest android toolchain
        • Bug 30460: Update TOPL project to use Firefox 68 toolchain
        • Bug 30461: Update tor-android-service project to use Firefox 68 toolchain
      • Bug 28753: Use Gradle with --offline when building the browser part
      • Bug 31564: Make Android bundles based on ESR 68 reproducible
      • Bug 31981: Remove require-api.patch
      • Bug 31979: TOPL: Sort dependency list
      • Bug 30665: Remove unnecessary build patches for Firefox

Comments

Please note that the comment area below has been archived.

October 22, 2019

Permalink

just

navigator.userAgent
"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"

8.0 bug

October 22, 2019

Permalink

Hello from Win7 32bit - after upgrade from 8.5.5 to 9.0 - I got wrong size of TBB's window!!! - Now main "HTML-View-control" is surrounded with the white-color window-canvas-border. Just wrong calculations. Early there were no issues of such kind .

October 22, 2019

In reply to boklm

Permalink

They tell you this is a bug in sense it should support the dark mode and add black borders.

October 22, 2019

In reply to boklm

Permalink

Correct me if I'm wrong, but with JS disabled, screen size fingerprinting is not possible. If so, the letterboxing can be disabled in about:config under privacy.resistFingerprinting.letterboxing

nope you can still detect and do fingerprinting just fine even with javascript disabled. something called css3 media queries allows a site to detect specific details about the browser without even running javascript. even letterboxing doesn't protect against this tho. it would have been a much better idea to disable certain options when parsing css media queries. preventing loading external resources while inside a css3 media query block would have done away with css fingerprinting without horrid letterboxing.

> it would have been a much better idea to disable certain options when parsing css media queries. preventing loading external resources while inside a css3 media query block would have done away with css fingerprinting

Are you sure your suggestion would not produce collateral damage, ie. break some websites?

October 22, 2019

In reply to boklm

Permalink

Is screen size fingerprinting an issue if javascript is disabled?

October 23, 2019

In reply to gk

Permalink

Come again? Are you saying letterboxing makes things worse if you use "safer" or "safest" setting?

October 23, 2019

In reply to gk

Permalink

I think the @media rules can assign a different background url for each different pixel height and width.
Also, I think @media heights and widths can use other types measurements than only pixels.

I think that if TBB sent false width and height, then the webpage usability would suffer from incorrect other @media rules.
So, designating some noncontinuous widths and heights appears to be the best compromise - usability vs lessened fingerprinting potential.

October 23, 2019

In reply to gk

Permalink

Updating newest torbrowser.Browser.firefox on torbrowser-launcher github fix black problem. Add new problem. Apparmor block noscript and httpseverywhere icons for ubuntu 18. Only security level and new identity icon show. Please make new ticket for fix.

October 22, 2019

Permalink

Once again the "use system colors" setting is being ignored, also my custom page colors are being ignored forcing me to choose between the website's "white page / black text" or the browser-default of black text on a stark white background.

Do you guys know what you turned off, so I can turn it back on? Otherwise I can barely read anything on this page.

October 24, 2019

In reply to gk

Permalink

I'm downloading the ESR non-tor now but, I also have FF-nightly, and palemoon, and waterfox-portable, all of which have never shown this problem. But this is the second (*maybe* third) time an upgrade to TORbrowser causes it to ignore the "custom colors" option.

Last time, I was able to force it back to working by toggling several times between "always" & "never" in the options dialog window. But since this last upgrade I've re-downloaded, and also downloaded the alpha, and made a copy of the browser directory and deleted the original, then re-installed. Whatever is going on, is in my windows profile because it remembers the glitch across versions (downloaded 8.5.5, installed to the desktop, same problem despite being the version I was using) and across directories.

Is there a way to save my bookmarks, and blow away any lingering cruft to show I've ever had TOR installed? I'm running 64b Win-7, and most of the time I'm running TOR from a directory on a Veracrypt encrypted "hard drive" file. What I'm trying to do, is tell the browser to use system colors instead of browser-set defaults, and always override those colors even if the web page I'm viewing specifies other colors.

> Is there a way to save my bookmarks, and blow away any lingering cruft to show I've ever had TOR installed?

There are two ways to export and import bookmarks in Firefox: HTML file or JSON file. Remember any custom bridges and search engine additions, too.

As far as I know, Tor Browser does not write to the registry or outside its folder by default, so deleting the folder should delete all traces of it. See if the color option works if you set it and then close the browser to be sure the UI is totally refreshed.

October 24, 2019

In reply to gk

Permalink

did the exact thing on my home computer. Now I can't use TOR anywhere.
and no, the non-TOR ESR 68 behaves as expected.

October 25, 2019

In reply to gk

Permalink

I was referring to the color setting being ignored, above. Can *you* set custom page colors that are honored? Because neither my chosen colors, nor system colors are honored if I tell TOR to override page-requested colors with my choices...I just get blinding, headache-inducing white.

October 22, 2019

Permalink

On installing 9.0, AVG has placed 'Win64:Evo-gen [Susp]' in quarantine. Though 9.0 seems to be working. Thank you.

"Evo-gen" is likely a false positive. Verision 9.0 is very new; it was released on the day you posted. Your virus scanner provider probably has not updated their virus definition files yet. Wait a few days, update your scanner, restore the file from quarantine, and scan Tor Browser again.

In any case, you could verify Tor Browser's PGP signature.

Updated virus scanner. Deleted quarantine. Reinstalled version 9.0. Nothing put in quarantine. Thank you for your time. As version 9.0 still seemed to be working, not sure what difference running version 9.0 without 'Eve-gen' would make, or if you are permitted to say. cheers.

October 22, 2019

Permalink

can there be a downgrade option, many bugs in 9.0. might just move back to not using Tor browser at all when its like this.

It seems a lot of people don't understand how the changelog works. Maybe the blog post should explicitly say that what's listed are fixes and features. Part of the misunderstanding has probably to do with using the word "Bug" for every ticket on trac, even for user's feature suggestions and the team's own goals and discussions.

Ideally the changelog would be replaced by a written summary of what was fixed and added with a link to the actual changelog at the end.

Commit messages (for example, descriptions of bug patches) are written in imperative mood, not past tense. Some novices might misunderstand this standard practice. If readers misunderstood the word "Bug", they could have clicked on them and found every ticket is labeled "Fixed".
https://duckduckgo.com/?q=commit+message+imperative

How can a list so varied and gigantic be summarized? On some posts for releases in the past, some changes were simply omitted. And this is a major point release, 9.0. I prefer the link to the actual changelog at the beginning of the summary or list so I don't have to scroll through incomplete paragraphs to reach the original document.

> How can a list so varied and gigantic be summarized?

161 bugs in the previous version have been fixed in Tor Browser 9.0, as follows:

Bug 31740: Remove some unnecessary RemoteSettings instances
Bug ...

17 major updates from previous versions are included in Tor Browser 9.0, as follows:

Update Firefox to 68.2.0esr
....

You get the idea. As an overall guidance, I think these announcements should cater to ordinary users more than power users, but should offer details for power users who want them, after offering an overview for ordinary users.

> You get the idea.

I don't. They said, "Ideally the changelog would be replaced by a written summary of what was fixed and added." In other words, they want paragraphs, no list and nothing as unhelpful as one total number. Although, it would get the message across better to say "updates" or "fixes" or "bugs fixed/patched" instead of "bugs".

> It seems a lot of people don't understand how the changelog works. Maybe the blog post should explicitly say that what's listed are fixes and features.

Good point. It seems likely that most Tor users will not have prior experience reading FOSS type changelogs.

October 22, 2019

In reply to boklm

Permalink

He was asking how to completely block all cookies. There is no apparent way to do that with 9.0.

October 23, 2019

In reply to gk

Permalink

Just look at about:preferences#privacy and see that there is no UI to block cookies, unlike in normal Firefox.

I haven't used Firefox 68 ESR but at some point Firefox intricated the cookie controls with the tracking protection controls. Maybe ESR or Tor browser removed the whole thing, and with this went the ability to block cookies.

I don't want to help sites to do even anonymous session tracking, especially when I use something like Tor browser. This is disappointing.

Yes, this got integrated into Tracking Protection. That UI is misleading in a Tor Browser context, though, as it claims the browser provides privacy by blocking. We don't believe that's actually the case in general and definitely not in Tor Browser's context. That's why we decided to hide the UI.

Now, the functionality is still there. If you need to change the cookie settings just adapt the network.cookie.cookieBehavior preference to the value you prefer.

October 24, 2019

In reply to gk

Permalink

Sites store cookie-files in the user's machine for many reasons. A main one reason is for obtaining behavior and preferences from the users, and so use these or even sell them to who can pay for them. It's so an obvious violation of privacy unless the user have agreed with such. The clear question is: "Did this 9.0 tor version remove this kind of privacy?" Yes or No?

Moreover, about the sugested manual alteration in "network.cookie.cookieBehavior". How is that done? That is, default value set is "1". Could please be specified what is the value and/or modification that should be set to recover the feature like was in the previous version of Tor?

Cookies are sometimes required for websites to properly function regardless of JavaScript. If you block all or create a personalized filter, eavesdroppers can identify your traffic as different from other Tor Browser users across browsing sessions. Instead, click the New Identity button or close the browser to erase all cookies between sessions.

You may be interested in "first-party isolation" and Firefox Containers.

Some of the cookie UI in Firefox was removed in Tor Browser. In Preferences, open "Privacy & Security" in the side menu, find the section at the top titled "Cookies and Site Data", read what it says there, and click the button "Manage Permissions...". To find hidden preferences, open a new blank tab, type about:config, and type "cookie" in the search box in that tab. Your question mostly relates to "network.cookie.cookieBehavior". I repeat, changing cookie preferences from Tor Browser defaults will lower your privacy.

Well, this "solution" (i.e. removing the option from the Tor menu) is terribly unpractical to the users. This should be something like an easy doing as always used to be (but not anymore in this version 9). No site at all should have freedom to send or store cookies into our devices, unless explicitly authorized by the users, even if they are temporary or deleted in the end of session. Please, we ask to the Tor team, to return the option to block/unblock all cookies and particular types of cookies..

The cookie settings were made "unpractical" as you call it because users shouldn't be customizing things away from privacy defaults rigorously studied and chosen in their best interests. Users need to be allowed but dissuaded from tweaking and customizing their traffic because doing so actually degrades privacy while they are part of the network and want their traffic to be camouflaged among other Tor Browser users. You would have known that if you cared as much as you claim to do about the topic to actually browse the Tor Project site to research why the developers of Tor Browser did what they did. In short, calm down and RTFM.

"your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity."
https://2019.www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled
https://research.torproject.org/
https://www.freehaven.net/anonbib/

So, it is claimed that when a user blocks cookies to some sites, this may expose his white-list?! In this case, how is this worse than making his machine a cook-container (as is the default set of this 9.0 version) which stores all kind of garbage during the sessions until finally he closes the browser or changes identity? In what way this could offer a better privacy? Obviously this cannot. And only cannot, as indeed makes the opposite since cookies (and so scripts) allow to extract the user's profile, preferences, etc. that is, the user be can be more easily identified.

> when a user blocks cookies to some sites, this may expose his white-list?!

Their white-list is not directly exposed, but sites can indirectly learn what their whitelist is by comparing the behavior of their browser to other Tor Browsers.
Read these:
https://blog.torproject.org/comment/283202#comment-283202
https://blog.torproject.org/comment/283857#comment-283857

October 22, 2019

Permalink

Absolutely loving the new Dark theme on Windows, also the GUI redesign. As always, a great job done by guys & gals at TOR; also, that is one massive list of improvements.

Have not tried the updated version on Android, but here's to hoping that bookmark import-export is coming soon.

Thank you people of TOR for the hard work and bringing us this update.

October 22, 2019

In reply to boklm

Permalink

>Do you have steps to reproduce the rss issue?

RSS support was removed from Firefox a while ago.

October 22, 2019

In reply to boklm

Permalink

Hi boklin, I can see that also (I didn't try a fresh install).

At least, it appears a default RSS rendering stylesheet is gone missing, now they get presented in Firefox' raw XML browser.

Also, clicking the RSS link at the bottom of this blog does brings the file download dialogue. That must be a different issue, but it feels wrong too.

FWIW about the former, please just open these in any previous release.
e.g. https://lwn.net/headlines/rss
or even https://news.google.com/rss

This would be a major feature loss : many many content gets so much "lighter" that way _hence_ accessible at all, over bad networks or hardware. Special thoughts to Google News and others, whose standard web "pages" are so bloated they just will not get entirely loaded or readable _ever_.

RSS FTW! (Tor Project if you hear me, please publish RSS feeds everywhere you can and you haven't yet, starting with this comment feed maybe? Thanks!)

\o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/
\o/ \o/ \o/ ONE-CLICK NEW ID \o/ \o/ \o/
\o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/
\o/ A DREAM HAS COME TRUE \o/ \o/
\o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/
\o/ \o/ THANK YOUUUUUUUUU \o/ \o/
\o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/

Thank you to point upstream's removal. Mozilla advertises a "curated addons collection" to replace this feature, but this collection is now empty. So so.

The addon "RSSPreview" does restore the feature, it feels just like the original (simple and light).

https://addons.mozilla.org/en-US/firefox/addon/rsspreview/

No idea about its code quality or security. As an immediate response, I see no better option. Other addons exist, but they look a lot heavier.

October 22, 2019

Permalink

I do not always use browsers full screen. This latest release displays pages as if they are in a window leaving the page with scroll bars inside a whitespace border.

October 25, 2019

In reply to gk

Permalink

For those who use Debian "Buster" and update from the onion mirrors via the version of Tor which comes from Debian with apt-transport-tor, and who also want to use Tor Browser from www.torproject.org, is it better or worse to follow the directions in the link the other commentator provided?

> is it better or worse

In other words, should you re-torify Tor Browser to go through Debian's tor binary package (repackaged Expert Bundle)?

My 2 cents: Under normal circumstances, I would leave it the way it is: minimal reliance on Debian's tor and less to reconfigure in Tor Browser. From my perspective, disadvantages include primarily that your device holds open a few more network connections, and your ISP can see that. But things are different in an enterprise network or if a dedicated machine runs tor for a LAN for example.

Have since recognized that some of the problems I have experienced using the Debian mirror may be due to clock issues. Has anyone at TP studied what can go wrong if the system clock is failing? Maybe we need to be able to adjust the clock faster using NTP while connecting to Tor network? Also a large clock skew is de-anonymizing even for ordinary browsing. I don't understand why my system clock is so far off even after I have reset it manually.

> what can go wrong if the system clock is failing?

Many asynchronous encryption protocols depend on your system clock to be set to accurate time to determine when a key or signature was created, modified and if it is valid, expired, revoked, etc. In a word, it's metadata. This is true for browser TLS/SSL/HTTPS and keys in PGP/GPG. NTP is not usually encrypted, and that has interesting implications for all of those encryption systems that depend on NTP. It shouldn't be necessary to adjust the clock "faster"; just make sure your system time is set before using cryptography. Check your time-zone, and install system updates for time-zones if government laws change (daylight saving time) or if you travel to other countries. If your computer is more than 4 years old and not keeping the time after you reboot, check its CMOS battery that powers the real-time clock when the system is powered off. If you use the NTP Pool project (Debian and Ubuntu do), use a public pool or a secondary (stratum 2) server:

https://www.ntppool.org/
https://support.ntp.org/bin/view/Main/WebHome
https://support.ntp.org/bin/view/Servers/WebHome

October 22, 2019

Permalink

Hey, my interface is broken.

My browser window has a white border inside it.

When I use the default window size, there are two stripes on the top and bottom of the window, about two centimeters in size each.

When I maximise the window, the white border becomes a square, with two centimeters of white space on each side of the window.

OS: Fedora 29, Gnome desktop environment, Wayland window manager

Screenshot:

https://share.riseup.net/#p3QL2554C-nYe7ahcBqKfA

October 22, 2019

Permalink

I'm a Hongkonger. Thanks for maintaining / developing Tor Browser! It's good to know there will always be a browser that would (likely) work, even if the gov were to impose GFW-style censorship in HK.

Will snowflake work in China in the future? Currently, only meek-azure works, right?

I live in mainland. According to some of fellow activists, snowflake bridge works for oftentimes, but you need to reconnect over and over again. Despite this, it's a little bit faster to connect via snowflake than meek. (I haven't tested myself)

I'd love to hear whether either or both of you are able to use Tor Browser to surf to sites such as citizenlab.ca and hrw.org and theguardian.com!

I am concerned that influential US publications such as Wired are not saying anything about Tor's role in getting the word about what is happening inside China. If you feel it is safe to try this, have either of you considered using Wired's Secure Drop site to tell your story to a reporter?

As you probably know, there is great concern among ordinary Americans who have friends who are dual citizens or living in China about what is happening.

> Are you sure Wired's SecureDrop site is up to date with security patches?

No. And I have not had much joy urging news organizations to perform even a casual audit of their own SecureDrop sites. Maybe you can help by joining the effort to check up?

> Maybe you can help by joining the effort to check up?

SecureDrop.org's list is supposed to hide obsolete instances. If you click under "Want to get your instance listed?" to go to the submission form, it says "Freedom of the Press Foundation may perform routine, automated tests against your SecureDrop .onion service and your landing page, to verify uptime and version information, and to perform basic security checks against our landing page recommendations." Basically, contact SecureDrop or Freedom of the Press Foundation.

I checked the onion addresses given in the directory at SecureDrop.org against the onion addresses given in landing pages where these were available with security "highest" (The Washington Post messed up even that simple requirement), and the addies: I checked seem to all be OK:

Al Jazeera
aljazeerafo4sau2.onion

Buzzfeed
ndg43ilvrrj465ix.onion

Daily Beast
bcwyjiwj25t44it6.onion

Gizmodo
gmg7jl25ony5g7ws.onion

Global Witness
37fmdxug33hhyi2g.onion

HuffingtonPost
rbugf2rz5lmjbfun.onion

Lucy Parsons Labs
qn4qfeeslglmwxgb.onion

Public Intelligence
arujlhu2zjjhc3bw.onion

The Guardian
33y6fjyhs3phzfjj.onion

TheIntercept
intrcept32ncblef.onion

Vice Media
e3v3x57ykz25uvij.onion

It is not obvious which of these are running the latest version of SecureDrop. It seems that sometimes when a news org does take the trouble of updating their SecureDrop (obviously it would be unwise to trust one which doesn't!), this results in a new onion address being generated, but the news org may then sometimes forget to tell SecureDrop.org about the change.

Thanks to all reporters who try to goad their editors into letting them cover human rights stories!

> It's not listed in the SecureDrop directory

I am told by someone who claims to work for one of the listed publications that this directory is itself out of date, and he appears to be correct.

I think the problem is that SecureDrop depends upon news orgs to be sufficiently organized :-/ to update their entry in the directory when they change their onion, but there is no reason to think they are doing that. Sigh...

SecureDrop uses cron-apt to pull its update and 16.04 LTS security updates nightly. Config here:
https://github.com/freedomofpress/securedrop/tree/develop/install_files…

Wired's instance is on the latest SecureDrop version, 1.1.0, according to this public endpoint:
http://k5ri3fdr232d36nb.onion/metadata

This would indicate that cron-apt is running. Beyond that, nobody but the Wired SecureDrop admin would have any (legitimate) visibility into the state of the system.

Securedrop instances aren't always listed in the directory - sometimes they don't want to be, don't know about it, or don't meet criteria around the landing page or the instance setup as listed here:
https://securedrop.org/directory/submit/

I don't think I stated what I was told very well, which is not inconsistent with what you just said. This is very helpful, and I hope more potential whistleblowers and sources will try SecureDrop.

Particularly valuable for US publications would be inside information on how FBI is abusing JTTF in various cities to harrass peaceful protesters and political dissidents. Also on the new CBP Fusion Center which accesses NSA databases apparently including recordings of phone calls and text messages.

FPF human here! With some probably not entirely satisfactory answers:

SecureDrop uses cron-apt to pull its update and 16.04 LTS security updates nightly. Config here for the interested:
https://github.com/freedomofpress/securedrop/tree/develop/install_files…

Wired's instance is on the latest SecureDrop version, 1.1.0, according to this public endpoint:
http://k5ri3fdr232d36nb.onion/metadata

This would indicate that cron-apt is running. Beyond that, nobody but the Wired SecureDrop admin would have any (legitimate) visibility into the state of the system. If there were failures in applying Ubuntu security updates however, I would expect the SecureDrop application version to lag behind.

Securedrop instances aren't always listed in the directory - sometimes they don't want to be, don't know about it, or don't meet criteria around the landing page or the instance setup as listed here:
https://securedrop.org/directory/submit/

Potential whistleblowers should always do some anonymous research first (preferably via Tor Browser, on a device they control, and on a network they're not previously associated with) on the organizations they plan to contact. A SecureDrop directory listing is a strong indicator that a given org is taking the setup of their instance seriously, but it's not definitive and there may be orgs that are a good choice to leak to that are not listed there.

October 22, 2019

Permalink

Over the last few years this seems like the biggest improvement between major versions, both in performance and UI design. It's wonderful. Hopefully we'll see the number of users increase.

October 22, 2019

Permalink

According to https://browserspy.dk/headers.php , the new Tor Browser 9.0 reveals my user-agent on the wire as:

Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0

Reveals platform in HTTP header (even in Safest security mode, no JS). Also, wrong Firefox version.

about:support properly says:
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0

Workaround: I used about:config to set general.useragent.override to the same value as about:support says. Tested, seems to work.

Please fix. Thanks.

This is not what the user agent is supposed to be. It should be "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0".

Do you have the same user-agent in a new install of Tor Browser 9.0?

October 22, 2019

Permalink

DAMMMNN!! Hopefully firefox allows/themes on the preferences page soon. Want dark theme all around. Nice work :D

October 22, 2019

Permalink

Avast just quarantined mozavutil.dll and nssdbm3.dll when updating to torbrowser 9.0 as Evo-gen !!! Are they essential??

October 22, 2019

Permalink

Sorry. But i don't like these white borders inside the tor browser. shit on fingerprinting. Is there a place where i can switch this off?
I mean... Sorry. But when not... Maybe this is time to choose another browser...

Sure there is an option to do that but it is not recommended if you are resizing your windows: privacy.resistFingerprinting.letterboxing is the preference governing this feature.

October 22, 2019

Permalink

Letterboxing is great at softening the fingerprint in those rare cases where you accidentally resize or maximize a window. However doesn't it decrease the uniformity if people start using it intentionally, given all the possible window and height combinations?

Is using the default window size still recommended?

Yes, the default size is still recommended. But, if users are resizing their window they should get some protection now. Before that we only had the notification bar popping up and essentially saying "Don't do that! Danger!" which was kind of lame. Now, we have something better to offer which fits more to our privacy-by-design goal.

October 23, 2019

In reply to gk

Permalink

Maybe you should still display the pop-up, although to be honest it seem ineffective, people have understandably just gotten too used to annoying popups and notifications and instinctively close or ignore them. I see people maximizing their Tor browser all the time out of habit.

> Maybe you should still display the pop-up

+1. But rewrite its message to explain letterboxing. It won't get in the way like before, either, because there's now empty space due to letterboxing above the page area. Hell, if you could make the whole letterbox border all around flash yellow three times, it might grab their attention long enough that they'd actually read it. It's ridiculous the lengths we have to go to get people to look into a pitifully simple message, "Danger. This harms you and your fellow community. Please don't do it." I mean, I might as well be talking about climate change! Convenience and coveting seem to be conquering every other decisonal factor.

October 23, 2019

In reply to gk

Permalink

And thank you very much, from one of your loyal users who complained loudly about the old bad way of handling accidental resizing.

Just to be sure: this new letterboxing feature will still provide some anti-fingerprinting protection regardless of which security setting ("safest", "safer") you are using, right?

October 24, 2019

In reply to gk

Permalink

Can TP seek funding from Raspbian.org or RaspberryPi.org to

o make a Tor Browser for the Pi?

o make the Raspbian repo into an onion?

o design a Pi to Pi secure chat? (Would be very useful in places like Santiago and Hong Kong, where neighbors need to talk to neighbors.)

o offering a battery making the Pi mobile?

If it helps, I use Pi-3 and have heard that Pi-4 has some problems with overheating.

I don't have an answer for designing a Pi to Pi secure chat, but...

> Tor Browser for the Pi?

There is a more active comment thread about Tor for Pi in this blog post and ticket #12631 for ARM architecture.

> make the Raspbian repo into an onion?

You seek Peter Palfrader. He manages the onions for both Tor Project and Debian (name in footers at bottom). While you're asking Tor Project to reach out, ask Raspbian to reach out to TP at the same time, too. Coordinate introducing them.

> a battery making the Pi mobile?

Could've done a web search before asking. Those exist. Bookmark stores that sell electronics components:
https://duckduckgo.com/?q=adafruit+similar
https://www.reddit.com/r/arduino/comments/1zocsq/alternatives_to_make_a…
https://www.quora.com/What-are-some-other-popular-websites-similar-to-S…

For good measure, also bookmark "maker" sites, hobbyist robotics sites, hackaday.com, and "single board computers".

> You seek Peter Palfrader. He manages the onions for both Tor Project and Debian (name in footers at bottom). While you're asking Tor Project to reach out, ask Raspbian to reach out to TP at the same time, too. Coordinate introducing them.

Would if I could but have been unable to contact any of the suggested entities.

Thanks for the tip about Pi batteries.

October 22, 2019

Permalink

Thank you for this nice update, nothing will ever be 100% but 99.999%, threats are renewed every hour, just a question to those who criticize: Who is able to do better than the Tor Project on time current?
Simplicity, security, development, freedom of speech to users, speed to fill the gaps, seriousness in the realization ...? Nobody!
It's very very hard for them, how many different platforms and configurations for each of us? a lot ... they have enormous pressure, do not forget that they carry our lives at arm's length ...

Thank you Tor Project

> change the size or color of the border area?

Size? Yes, drag the window borders. Maximized or fullscreen? Not without recompiling. The dimensions of the inner area snap to intervals of 200 px by 100 px. It's intentional so everyone's browser fingerprints will look more alike, but leaving the window at its starting size is best for privacy. For more information, scan yourself on a browser fingerprinting site such as EFF's panopticlick, but note that Tor Browser's traffic is designed to appear as similar as possible to other Tor Browsers. It isn't practical and is basically pointless for Tor Browser's traffic, coming from the Tor network, to look like normal "clearnet" browsers.

Color? They're working on it: Bug #32220. Stay tuned.

October 22, 2019

Permalink

Tor browser no longer launching after this update. Tried both upgrading from 8.5.5 and installing a fresh one. I'm using Trisquel 8 x86.

October 23, 2019

In reply to gk

Permalink

Thanks very much for the update.

I'm having the same problem as Dustin. Updated from v8.5.5 and then tried fresh install and it won't start.

My OS is Kubuntu 14.04.6 LTS i686 (I know, I should upgrade).

Starting it from command line I get:

user@computer:/opt/tor-browser_en-US/Browser$ ./start-tor-browser --debug
./firefox.real: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory
user@computer:/opt/tor-browser_en-US/Browser$

(Permissions, owner and so on are fine, it was working correctly up to v8.5.5)

October 23, 2019

In reply to gk

Permalink

Looks like it's working after installing package libatomic1:i386 (4.8.4-2ubuntu1~14.04.4). Couldn't find libatomic.so.1 anywhere in my file system (apparently isn't installed by default) and that package seems to provide the library.

October 23, 2019

In reply to gk

Permalink

Launching './Browser/start-tor-browser --detach --debug'...
./firefox.real: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory

October 22, 2019

Permalink

Congratulations on #9!

Looks pretty okay over here. No complaints yet. Still, I'm going to wait until the first wave of bug fixes before I settle in.

Going to 68 is a big jump!

October 22, 2019

Permalink

after the upgrade (8.5 -> 9.0 ), when starting up, the error message "Startup is not possible because api-ms-win-crt-convert-L1-1-0.dll is missing on the computer. Try reinstalling the program."
(use a online translate :\ )

Win 7.

October 22, 2019

Permalink

Tor Browser 9 leak my OS!
On https://ipleak.net/ I see "Platform: Linux x86_64". This is true! But I like to see Windows NT 10.0 there.
User Agent is okay. Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0

I am using Tor Browser 9.0 under Tails 4.0, with security set to "safer".

I just tested this and got the same result reported above:

> Your User Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
> Platform: Linux x86_64

No idea whether this is a serious issue.

On the bright side, the IP shown is that of the exit router, and the test site reports no DNS leaks either. No leaks about plugins or mime either.

Used TB 9.0 under Tails 4.0 with security set to "safest", which disables Javascript.

Then IPleaks is unable to detect anything but the fact that my circuit used a particular exit node and the fact that I followed a link from this blog.

Of course this setting may make some sites less functional.

Do you have some anti-virus/firewall software installed that could interfere here? If so, which? Could you test whether uninstalling it (disabling is often not enough) gets Tor Browser working again?

It is not recommended to change cookie options from Tor Browser defaults. Just use the security level shield and New Identity features. Customization of network behavior (such as which cookies you accept and reject) will make your traffic conspicuous from other Tor Browser users and easier to be tracked. New Identity clears cookies. If you accept the risks and want to change cookie options anyway, find them in the Preferences menu.

October 22, 2019

Permalink

i have problem after update when open tor "The program can’t start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer. Try reinstalling the program to fix this problem." im using windows 8.1 pro 32bit.

October 22, 2019

Permalink

after update this error coming up "The program can’t start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer" im using windows 8.1 pro.

October 23, 2019

In reply to gk

Permalink

Just curious: would it be impossible to make a version of Tor Browser for Raspbian?

Thanks to the entire Tor and Tails teams for all your hard work!

Someone please correct me if I am wrong, but I believe this does not apply to the Pi, which uses armhf architecture not arm for its repos.

This is why I cannot simply use the existing Debian repos to load arm software into the Pi.

It would be wonderful if Tor Project can help RaspberryPi Foundation set up an onion mirror for their existing mirror. This would presumably be much easier than developing a TB for the Pi.

I see that the cited discussion

https://trac.torproject.org/projects/tor/ticket/12631

mentions a problem with Pi-2 overheating. It seems that this would be a problem with Pi-4 also. But I am using Pi-3 which apparently does not suffer from this kind of problem.

gk wrote (6 months ago):

> I wonder, generally, whether we should call the OS-arch combination linux-armhf here instead of just linux-arm, following Debian (especially as we might want to support 64-bit as well in the future).

I should explain that I am aware that armhf is somehow distinct from arm architecture, but I don't understand the differences.

> armhf is somehow distinct from arm architecture, but I don't understand the differences.

Basically, hf = "Hardware Floating-point". The processor includes a circuitry unit for floating-point arithmetic, fractional numbers. Processors without one must calculate fractional arithmetic in Software.

browser.urlbar.maxRichResults;0
browser.urlbar.oneOffSearches;false
browser.urlbar.quantumbar;false
there's still something left from this drop down menu.

October 23, 2019

In reply to gk

Permalink

For what it is worth, I have been testing Tor Browser 9.0 as provided in Tails 4.0, and with security set to "safest" and "safer" I have been experiencing no problems whatever at the sites I tried (mostly news sites).

October 23, 2019

In reply to gk

Permalink

Seeing as you're always asking Tor users for specifics, could you try being a little less vague?

Specifically what version of the .dll is required?

No-one in their right mind (or having any past experience with Microsoft products) is going to install patches willy-nilly that can break a currently working system - especially users on OS's that Microsoft would like to fade away.

So, version numbers, 32/64, dates etc for the .dll would be helpful - or just link them here.

At the moment I have to butcher an old version of Tor to get something working without helpfully updating to something that is non-functional.

Please test properly before release, make less assumptions and give your users a little more choice and control.

Thank you.

Having your operating system up-to-date is essential for Tor Browser providing the guarantees it offers. So, my advice here is using the update mechanism of your Windows system to get all the security updates you missed so far (and the .dlls you need).

The DLLs are bundled in the Universal C Runtime (CRT) update:
https://support.microsoft.com/en-us/help/2999226/update-for-universal-c…
For specifics of what's inside it, click "File information".

> especially users on OS's that Microsoft would like to fade away.

Try Tails. It runs in RAM from a bootable USB or DVD and won't affect the OS on your HDD. Simply shut down, remove the Tails media, and start up to login to your original OS. In Tails, mount your HDD partitions to access files on your HDD.

I strongly recommend migrating to Linux for your situation. Linux Mint, Ubuntu, Zorin OS Core or Lite are for beginners. Others are listed on distrowatch.com. Ease the process by searching for cross-platform alternatives to your Windows software on alternativeto.net or alternative.me. Some might already be cross-platform. Others could be replaced by Linux-native alternatives or installed as Windows software under Wine or Mono. Pay attention to licenses as well: GPL, BSD, MIT, Apache, or commercial/proprietary.

It's possible to download the .dll by itself from a third party site, but then it's harder to determine if the file was tampered with. It's possible that versions of .dlls built for Windows versions so much newer than yours may not run on yours anyway. 32/64 isn't really relevant for the .dll because both will have been published unless one isn't necessary. The 32/64 architecture of your OS on which the .dll will be running, however, is very relevant because that is not easily changeable and thus defines which .dll(s) is/are needed.

Deviating from official support and even simply community support to extremes of choice and control also means accepting that you will do a lot of everything by yourself including adopting responsibilities for support, upkeep, etc. of your niche or forked project.

You're welcome.

October 22, 2019

Permalink

> Bug 28896: Enable extensions in private browsing by default
This removes the security feature of Firefox.

October 23, 2019

Permalink

So I am using TB8 with "extensions.torbutton.use_nontor_proxy: true".
Is it okay to upgrade to TB9? I had disabled Tor related add-ons and I have no intention to enable them.

Can someone confirm TB9 works with extensions.torbutton.use_nontor_proxy nicely?????

I kept extensions.torbutton.use_nontor_proxy switched to true.
Then In about:config I switched extensions.torlauncher.start_tor to false. Then changed network.proxy.socks to my SOCKS proxy address and network.proxy.socks_port to my SOCKS proxy port.
It seems to work, the only issue I have is some brief "freezing" when changing the noscript security settings. Also the browser freezes for a moment when trying to access the Tor settings.

If someone has a better way to use Tor Browser with a non-Tor proxy in TB9, please comment. Many people use Tor Browser alone without Tor network and I think it shall be possible to do so.

October 23, 2019

Permalink

Can you stop adding white-textbox completely?
Think for users who have less screen: 1024x768, 1366x768, and so on.

Please add a checkbox to disable it!! TB8.5 does not have this problem!

"less screen" is the most reasonable complaint I've seen about letterboxing to this post. Save that one. I had wondered also about Android displays but didn't say anything.

October 23, 2019

In reply to gk

Permalink

Of course, it is collected. Read the docs, see the errors of telemetry in console, check the prefs it adds...

October 24, 2019

In reply to gk

Permalink

Error: TelemetryStopwatch: key "WEBEXT_CONTENT_SCRIPT_INJECTION_MS" was already initialized ExtensionTelemetry.jsm:109:31
was already initialized

I have a LAN tap and can help test the reported issue if someone tells me exactly what to look for in a TCP dump. I would use tcp_dump in Tails on the monitoring machine and then use Wireshark to examine the dump.

Wouldn't Wireshark show encrypted Tor traffic? In the case of spyware Tor is a double edged sword because it's not easy to monitor what data leaves your computer if the spyware uses Tor.

When I want to test what data some program sends out I do it in a Whonix workstation. I'm not sure that's possible with Tor browser inside Whonix though.

Would love to hear about some other possible setups to both analyze the traffic and send it over Tor. Or, leaving Tor aside, some way to trick a program or the OS into sending requests even when not connected to the Internet so that you can see what requests would be sent to the outside world.

Since telemetry is on the Firefox side rather than in the tor binary, it seems theoretically possible to deproxy the browser so it communicates via the normal internet and so Tor's encryption is absent, but the telemetry data itself, if sent, is probably wrapped in Mozilla's TLS certificate. But OP left out that about:telemetry says, "upload is disabled."

> When I want to test what data some program sends out I do it in a Whonix workstation. I'm not sure that's possible with Tor browser inside Whonix though.

The idea is that you have a test machine running Whonix and a monitoring machine running Tails (say) which is behind the LAN tap at bottom of the "T". To anthropomorphize, the test machine has no idea that the LAN tap even exists, much less that it is copying every packet sent from the test machine to the router (or vice versa; you need two test machines and two captures to study bidirectional traffic). You take the capture on the monitoring machine using tcpdump with the option to drop privileges and later study the capture using wireshark (on a Debian machine, say). The last step does not require root privileges since you are using wireshark to study an existing packet dump not to make one (which would be dangerous to do using wireshark with root privileges).

You can also use Tails to capture WLAN traffic using airodump-ng, and later study the packets using Wireshark.

None of this tests what happens after traffic leaves your LAN or local WiFi.
Tails is very useful for all kinds of other things besides legitimate monitoring of your own devices/network, of course.

October 23, 2019

Permalink

Someone PLEASE HELP!

After I upgraded to 9, there is NO OPTION to set custom proxy
and the browser is IGNORING extensions.torbutton.use_nontor_proxy congiguration.

I NEED TO USE my proxy with tor browser. I was able to disablr tor addons and use any proxy.

HELP! I REALLY NEED IT BACK!

October 23, 2019

Permalink

Has anyone else had their twitter accounts locked out and about to be suspended after the new Tor update? I just lost my account after the new update and noticing before I was locked out Tor looked completely different with a large white border around the screen which made all pages online smaller. Could whatever Tor did in their update have made twitter accounts using Tor seem as "suspicious activity?"

Twitter was asking me to confirm my phone number. Before all they would ask is just type in your phone number. Today after the new Tor update it was asking me to CONFIRM the phone number I would need the actual phone in order to do so. The twitter account I have isn't originally mine and the person whose account it originally belonged to no longer has access to that phone number.

The ONLY other time this happened to me was weeks ago I lost two twitter accounts after installing an addon that would revert back to twitter's classic theme instead of the God-awful forced new twitter interface. The addon was just a simple user-agent switcher they explained it as it makes it appear as IE instead of as "mobile." The two accounts I lost at that time were also asking for me to confirm the phone number instead of just typing in the phone number which would let you log in normally.

I just got an email back from twitter's support saying they have unlocked the account. Now I'm afraid I might lose it again.

Here's how the new update looks with the new thick white border and it's how ALL pages online look regardless of where you go. The scroll bar on the right never appeared before either. Pages now at default zoom show that scroll bar on the right suggesting it's a larger screen when it's not.

https://imgur.com/a/daF3xMu

Windows TBB 9.0

I just got an email back from twitter's support saying they have unlocked the account. Now I'm afraid I might lose it again.

Write Twitter back to tell them that you use Tor because you represent a majority of internet users who support greater personal privacy [1, 2, 3, 4, 5, 6, 7, 8, 9] and that Twitter's automated defenses, not your behavior or content, are preventing you from being their return customer or "maximizing user engagement".

Link to this comment if you want, but I don't think would be as effective as your own personal stories.

October 23, 2019

Permalink

не работает после обновления выдает ошибку на windows 7 32 bit "запуск программы невозможен так как на компьютере отсутствует api-ms-win-crt-convert-l1-1-0.dll 2019" как мне исправить это? до этого обновления браузер работал отлично!

October 23, 2019

Permalink

if somebody has troubles to launch TBB (standalone) with firejail:
old launcher - ALL tabs crashing, no browsing:
Exec=firejail sh -c '"PATH/tor-browser_en-US/Browser/start-tor-browser" --detach || ([ ! -x "PATH/tor-browser_en-US/Browser/start-tor-browser" ] && "$(dirname "$*")"/Browser/start-tor-browser --detach)' dummy %k
new launcher - works properly:
Exec=firejail PATH/tor-browser_en-US/Browser/start-tor-browser

October 23, 2019

Permalink

New torbrowser can't be started with system tor on a Linux machines. Tor launcher cat't be deleted

October 23, 2019

Permalink

context menu (rightclick) on a link or button doesn't work properly. it opens the link immediately. happens in tbb only.

October 23, 2019

Permalink

looks like the changes with the proxy settings broke stuff like zeronet, i2p and freenet (probably because it seems like there's no option to block the proxy on certain addresses), and foxyproxy doesn't seem to help it. i'll back off to 8.0 again, but this should really be fixed, messing with what works can be annoying.

October 23, 2019

Permalink

first of all as always i appreciate all the hard work you guys put into keeping us safe out there!

but this version 9.0 isnt that supposed to be a stable version?

i cant run tor i fullscreen, theres missing like 15mm on each side of the screen.

also i miss the old blog version, this one looks really messy. cant see who wrote what to who and where the new comment comes in.

beside that great work!

It is a stable version, yes. You can disable the letterboxing feature (see the blog text for what it is about) in your about:config by flipping a preference (privacy.resistFingerprinting.letterboxing to false).

The blog is a sad story. We try to get that fixed but it seems that it is hard. The worked is tracked in http://ea5faa5po25cf7fb.onion/projects/tor/ticket/31114.

October 26, 2019

In reply to gk

Permalink

thanks for your respons gk, really appreaciate it because it made me go back to the outdated version that kept crasching. about the old version 8.5.5. it refuse to update from the browser. well the the update starts but then it refuse to launch the browser when the update is done. just wanted to let you know, there seem to be something hindering it from launching.

hope you guys find a fix for the blog. also i wish to have a dark version of the blog because this one (white/light) kills my eyes.

how can i give the tor browser a dark theme? i saw someone mentioned that there is a dark theme. much appreciated!

> it refuse to launch the browser when the update is done.

Check if your drive has enough space on the partition where you installed Tor Browser.

> how can i give the tor browser a dark theme?

Hamburger menu [≡] -> Add-ons (Ctrl+Shift+A) -> Themes
The letterbox border is not colored yet. It is planned to be.

November 01, 2019

In reply to gk

Permalink

> The blog is a sad story.

I worry about the fact that the PKI cert is so different from what I expect for a sensitive site. I am concerned that the blog I see may be a malicious clone of the real blog because I cannot reasonably assure myself of its relationship to Tor Project from the cert. If you disagree that this is an issue, please ask a TP expert to post explaining why it is not a serious issue.

It would also be very helpful to have a post advising how to use TB properly. E.g. I suspect most users do not know how to take advantage of sandboxing and try to store downloaded files in the wrong directory, or to use terminals in the wrong directory, etc.

If I understand you correctly, you are in the habit of deliberately maximizing the TB window. If so, can you explain?

As a user who loudly demanded the new letterboxing protection against too easy window size fingerprinting, because I sometimes *accidently* maximize the window, I am sorry to see how much confusion it is causing. I hope the users who are unhappy soon find you can live with it.

I too have technical problems with the blog, but only if I forget to change the security setting from "Safest" to "Safer" before submitting a comment. I can live with that. The way I see it, quashing bugs, doing research into growing the Tor network, expanding the Debian onions to other distros, to CRAN, Raspbian, etc, and keeping them healthy, reaching out to some of the more reasonable members of the Fourth Estate to combat FBI's anti-Tor FUD, etc, etc. is more important. But yeah if TP can fix all those it would be great to improve the blog :-)

all levels of security are much appreciated! however not everyone is living in a dictator state, hiding from the the fbl or being a criminal. i simply just choose my time when i need extra level of security, for example when doing bank transactions and not for all times. i use tor for everything and in long terms some of the features can get really annoying. i didnt buy a bigger screen so that i could see smaler windows. stay safe out there, unless youre a bad person then i couldnt care less what happen to you guys because i dont think bad people deserve any kind of protection what so ever :)

> all levels of security are much appreciated! however not everyone is living in a dictator state

You seem to not have read the basic overview that Tor's effectiveness depends on strength in numbers. No matter where you live or what you do with it, the protection you enjoy depends in part on whether your co-users, bouncing around the global Tor network and out of exit nodes, look like you when you all come out wherever your exit nodes happen to be. I would love so much for you and every newbie to interact with the map of circuits that was in Vidalia. Tor is not meant to act or be used differently for people logging into their local bank or watching meme videos than it is for people facing criminalization by whichever government's present-day incarnation of laws you happen to be subject to offline. Competency in using Tor demands a global perspective. Walk in someone else's shoes -- That is what the mutualist biome you enter when you layer up and travel through the Tor network tries to do for you, digitally, if you just let it.

maybe it is easier to accept it if it has black edges instead of white because it really looks like a bug that makes the window smaler than it actually is. because when you clearly see it is the wrong size it gets really annoying.

but as gk mentioned it is easy fixed for those who want it in its original size. the more security, anonymous and privacy settings it has the better as long as people can choose to opt out from them if they are not nessaccary.

i think the biggest problem is when people are not computer geeks but still want privacy and security they dont know how to change all these things. in that case, next to the blog link there could be a tutorial link for example. with videos and images showing and explaining. im sure there are volunteres out there with some video and photoshop skills who can make an easy understood and still profesional looking guide for those who need.

October 23, 2019

Permalink

why have you guys changed the "new identity" icon? i liked the onion one. no big deal really but it was easier to see and therefore find.

in privacy settings i unchecked all search suggestion results but i still keep getting sucksuckgo up while im writing in the adress bar.

im on kubuntu 19.04

thx in advance

If you don't want to have DuckDuckGo just remove it from your search engines in about:preferences or don't set it not as the default engine at least?

The onion was _not_ the icon for New Identity but rather the toolbar button into the depth of the Torbutton menu where New Identity was just one of the options to pick from. So, we tried with the broom to give a better visualization for what is going on when you press the New Identity button.

October 23, 2019

Permalink

Security Level radio buttons are still positioned above and below other intriguing buttons that people should not be tempted to touch. People commented under older blog posts that they did change them, and other people cautioned Tor Project about the layout. TP added a new preferences tab for Tor network preferences, but TBB's security levels should also be distinctly separated from Firefox preferences.

Other than that, 9.0 feels faster than 8.5.5, and I wish there had been a migrate/export notice about losing the Description field of bookmarks. It's unrecoverable now, I guess.

October 24, 2019

In reply to gk

Permalink

Yes, the description field is in bookmark export files. It'll take time to edit, but it's definitely there. Thank you, gk.

Agree about the annoying place of security level buttons. I often change security levels because some sites are broken without JS. I change the level just for one specific page load, then change back right away. There's a bit too much clicking involved just for doing that.

I agree with that and we are working on the remaining big piece of our security settings redesign: the per-site permissions should be easier achievable. You can track the work in https://trac.torproject.org/projects/tor/ticket/30570.

We did not have time to finish that part for 8.5 and thereafter we were busy with the transition to the new Firefox ESR which Tor Browser 9 is built upon. But we are picking that work up now to, so, stay tuned.

>
> Security Level radio buttons are still positioned above and below other intriguing buttons that people should not be tempted to touch.

I am using TB 9.0 in Tails 4.0, and I see (left to right)

1. inside the righthand portion of URL/search pane:

o history drop down (the arrow visible when you mouse over it)

o reader view button ("document" type icon)

o page actions button (three dots)

o bookmark button (five pointed star)

2. immediately to the right of the URL/search pane.

o security level button (shield icon)

o new identity button (broom icon)

o red UBlockOrigin button

o TB Menu (three bar icon)

I see these all on one line.

As I understand, most of these are inherited from FF so TB users should just remember to be cautious about changing default TB settings.

> righthand portion of URL/search pane

OP said "radio buttons". There are no radio buttons (example image) where you were looking. The security level radio buttons are in the Preferences tab, Privacy & Security section, surrounded by other Firefox-specific preferences.

October 23, 2019

Permalink

Mozilla wrongly sets MOZ_OPTIMIZE_FLAGS="-O2" for Windows as it was needed for compatibility with MSVC.

October 23, 2019

Permalink

Have been testing Tor Browser 9.0 in Tails 4.0 and it seems to be working very well!

Also tested things like burning DVDs in Tails 4.0 and all seems well.

Very noticeable improvements in Spectre/Meltdown mitigations which were causing some problems in older Tails.

Many thanks to Tails Project and to Tor Project for all your hard work!

October 23, 2019

Permalink

Many thanks for the letterboxing feature which addresses a concern I and others expressed in this blog!

October 23, 2019

Permalink

Is there a way of turning off the letterboxing ? It's really annoying and unaesthetic It just looks awful. While I appreciate the effort, I'm not overly worried about fingerprinting for most sites I visit, and basic UI stuff also matters.

Also I had to customize in the toolbar to remove the new 'sweep' button that's replaced the onion for New Identity. It just deletes your session without warning and that's also very bad. I often have multiple tabs open with Tor Browser when I'm doing research and that's just a really bad idea to have a button that can instantly wipe your session.

You are getting the warning on the first time and if you decide to not get warned anymore you won't. Otherwise you get every time you click on the New Identity button the warning whether you really want to do a New Identity now or not. I think we should not make it even harder to just get back to a clean session slate.

Sure, you can disable it Letterboxing by flipping privacy.resistFingerprinting.letterboxing to false.

I'm not overly worried about fingerprinting for most sites I visit

That's great for you, but what happens when you are worried? And what happens to everyone else? If a large group of users turns off letterboxing, that degrades its goal to help everyone blend in. Anonymity loves company. To quote gk: Do you have some ideas on how to make letterboxing better so you would not disable it?

the new 'sweep' button... deletes your session without warning

No, it doesn't unless you, yourself, clicked on "Never ask me again". To reactivate the confirmation prompt, open a new tab, type about:config, search for extensions.torbutton.confirm_newnym, and toggle or reset it back to true, the default.

> I often have multiple tabs open with Tor Browser when I'm doing research and that's just a really bad idea to have a button that can instantly wipe your session.

FWIW, I do a great deal of online research using TB under Tails, and I use "new identity" a lot but avoid tabs. That works for me but one does need to be more disciplined about the order of operations.

I consider the fact that the location pane doubles as a search pane to be quite tricky. I've gotten better at using this effectively, but IMO this feature should have been carefully explained in the announcement when it was new to TB but this did not happen.

The problem with "gestures" and mysterious never-before-seen icons is that users need to be clearly told how to use them properly, and ironically it can take more words to explain a gesture than it would take to explain a purely text based command.

If users are expected to guess what new features do and why, they could potentially do something dangerous. So IMO learning by trial and error is not a good idea for security-critical software.

I think this is one of the biggest long-standing issues with the "new version of Tor Browser" announcements: blog posters aren't thinking carefully enough about what ordinary users (e.g. people unfamiliar with the latest FF or the latest smart phone) can reasonably be expected to know.

October 23, 2019

Permalink

In another comment, someone else suggested (I think) that a bug in Tor Browser might explain problems I have noticed trying to use the Debian onions when I update my Debian 10 system on a desktop PC:

https://blog.torproject.org/comment/284420#comment-284420

Has that been fixed in Tor Browser 9.0?

I'd like to ask Tor Project to work with Debian Project to ensure that the Debian onions are protected by health checks, and if they are overloaded, to work to add capacity.

Further, I'd like to ask Tor Project to reach out to R Project to try to mirror CRAN on an onion, with suitable checks that the mirror is kept secure/accurate.

Would it be utterly impractical to use Tor with a Raspberry Pi? If not, can you post a guide? And can you work with Raspbian to mirror their repo on an onion?

Thanks for all your hard work!

I don't have an answer for your Debian 10 system, but...

> I'd like to ask Tor Project to work with Debian Project to ensure that the Debian onions.... Further, reach out to R Project... work with Raspbian...

You seek Peter Palfrader. He manages the onions for both Tor Project and Debian (name in footers at bottom) and the tor package for Debian. As for R Project and Raspbian, while you're asking Tor Project to reach out, ask those other projects to reach out to TP at the same time, too. Coordinate introducing them.

> Tor with a Raspberry Pi?

There are similar comments in this blog post and ticket #12631 for ARM architecture:
https://blog.torproject.org/comment/284717#comment-284717
https://blog.torproject.org/comment/284903#comment-284903

According to those, it sounds difficult at the current stage of development and thus impractical for general users but not impossible. See the ticket for guides.

October 23, 2019

Permalink

Just wanted to say that the new identity button seems to be working great in Tor Browser 9.0 under Tails 4.0.

I complained in a previous post about removing the onion icon but I now see I misunderstood so I withdraw my complaint about that :-)

Thanks for all your hard work!

October 23, 2019

Permalink

Secure Connection Failed
An error occurred during a connection to blog.torproject.org. PR_END_OF_FILE_ERROR

October 23, 2019

Permalink

Regarding the problems reported in some comments about using Tor Browser 9.0 with Linux and seeing that their OS is reported as Linux not Windows:

For what it is worth, I just tested this using Tor Browser 9.0 in Tails 4.0 (based on Debian 10) and got the expected result:

> HTTP_USER_AGENT Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0

October 23, 2019

Permalink

I'm running macOS "Mojave" version 10.14.6 on a four-year-old iMac. Yesterday, 2019.10.22, Tor Browser offered to upgrade my version of Tor from 8.5.5 to 9.0. I allowed the upgrade to proceed. This morning when I logged back into my iMac I discovered I cannot use Tor to log into my ProtonMail account, nor can I see Apple's System Status web page (https://www.apple.com/support/systemstatus/), as I routinely can. But if I use Firefox, I can see Apple's System Status web page and I can log into my ProtonMail account. That suggests to me that Tor 9.0 is broken in that respect. Also, I can use Tor to get to other web sites, such as this one where I'm providing this information to you. Those web sites display load promptly and display fine — just not Apple's System Status page and ProtonMail. Whoops. Just found another web page that won't display: Your "get in touch with us" (https://support.torproject.org/get-in-touch/how-can-i-get-support/) web page mentioned right here on this web page I am using to reply to you. Clicking that link returns "404 Not Found" in Tor 9.0.

October 25, 2019

In reply to gk

Permalink

> Do you know where you found the "get in touch with us" web page?

It's on the blog pages, at the bottom where it says "Join the discussion"

404 is a response from a site's web server that indicates a missing page on the web server. If you see a green padlock on a 404 page, then Tor is most likely running properly, and the site's web server is the thing that's having problems. 404 should not be confused with a browser's internal error messages indicating network or DNS problems such as "We’re having trouble finding that site," "Check your network connection".

If the server does not respond at all, not even with an HTTP error message, write down the date and time with timezone, the URL, and the IPs of your circuit from the circled [i] in the address bar on that tab. See if other sites open in that session. Try clicking the New Identity button and opening Apple's and ProtonMail's "broken" pages again. Both open fine for me. Still broken? Search for one of those uptime status or "Is it down?" websites, and see if it really is down for everyone. Was it just you? Relays go offline sometimes. If you think it was suspicious, consider reporting the relays:

How did you find that torproject link? I found a page on the Support site with an identical title: How to Report a Bug or Give Feedback but didn't find what links to your link.

October 26, 2019

In reply to gk

Permalink

I have the same bug sometimes. Seems to be caused by "Accept" header, which now is "image/webp,*/*" instead of "*/*" in the previous versions (this changed in Firefox with introducting the webp images support). Some servers somehow don't like that and return 403 error instead of a image.

October 23, 2019

Permalink

Good looking new New Identity broom sweep icon. It looks dissimilar to the other icons and illustrates its meaning reasonably well. Although it looks closer to meaning "clean up", the word "identity" is hard to visualize except for yet another rectangular shaped icon for an ID card or a silhouette of a head and shoulders for "persona" but lacking an action.

But you made the Bridges and Proxy preferences harder to find. Gotta update the FAQ and the manual.

> Good looking new New Identity broom sweep icon. It looks dissimilar to the other icons and illustrates its meaning reasonably well.

Plus one.

October 23, 2019

Permalink

What's with the horrible light border? I use a dark theme and the new border is just daft. Please put it back to the way it was. Cheers.

October 23, 2019

Permalink

I am using Tor Browser 9.0 in Tails 4.0. Just wanted to say that using the pane to send a search query to the DuckDuckGo onion seems to be working fine and is noticeably faster than with previous versions :-)

Many thanks for all your hard work!

October 23, 2019

Permalink

Letterboxing, a technique developed by Mozilla

Not based on or co-developed? Your ZDNet source repeatedly cites Tor Project as the original developer of the technique that inspired Mozilla whose modification made its way back into Tor Browser. (Hooray for libre software licenses!) Arthur Edelstein of Tor Project was even the reporter of Mozilla's Bugzilla ticket.

October 23, 2019

Permalink

bringing the number of supported languages to 32

Translators, please bring that many to the website, support, manual.

October 23, 2019

Permalink

Unfortunately comments are closed in

https://blog.torproject.org/new-release-tails-40

but Tails 4.0 includes OnionShare 1.3.2. This is better than the previous version, but it is not yet OnionShare 2.2, which has possibly desirable features as explained in

https://blog.torproject.org/new-version-onionshare-makes-it-easy-anyone…

On the face of it, "amnesia" might not seem fully compatible with publishing an anonymous website using OnionShare, but I hope Tails Project will consider upgrading to OnionShare 2.2 in the next edition of Tails, if that is possible and if it does not introduce security issues.

Until about a year ago, Tails Project was apparently working on a "Tails server" which would, I guess, have offered something similar to what the combination of Tails 4.1 and OnionShare 2.2 would appear to offer, if OnionShare 2.2 is included in Tails 4.1 (which would be I presume the next edition after Tails 4.0, the current edition).

October 23, 2019

Permalink

I am using Tor Browser 9.0 in Tails 4.0 and so far it's great!

Wanted to shout out to Tails Project for fixing (apparently) a problem with Whisperback error reporting, which is now working again for me.

Also, I have a laptop whose hard drive is failing, so I now use it only by booting Tails from a DVD. When I do this with Tails 4.0, I get a popup warning me that the disk is failing. This is actually a very good thing because if I did not already know that, I would want to know it!

Many thanks to Tor Project and Tails Project for all your hard work!

Search the Tails menu for disk utilities. See if they have a feature to read a hard drive's S.M.A.R.T. data. If you can't find one, see if GSmartControl is installed. If not, you can install it from your software package manager or by opening a terminal and typing: sudo apt-get install gsmartcontrol Be careful not to do anything that could further harm the disk. Personally, I would open the case and unplug the disk until I had a reliable disk (or USB drive, another computer, trusted cloud storage, or DVD-Rs) to backup its data. A good internal hard drive is not expensive to replace relative to other components: about $40 USD, but you may need one of the things in parentheses or a USB enclosure to transfer data between them if you don't have a spare storage device or can't plug in both drives at the same time. Good luck.

> Search the Tails menu for disk utilities. See if they have a feature to read a hard drive's S.M.A.R.T. data.

Yes, it does, and I presume that this exactly where the popup message comes from.

Fortunately I had nothing of value on that hard drive. I see value in keeping it to befuddle the bad guys if someone steals the laptop.

October 23, 2019

Permalink

I am using Tor Browser 9.0 in Tails 4.0. Just wanted to shout out to Tails Project (again!) for another indication of the care they took in making Tails 4.0: when you boot Tails in on-line mode, connect to Tor network, and press the "Tails Documentation" icon on the desktop, you call up Tor Browser and see the documentation at the Tails website. But when you boot Tailos in off-line mode and press that icon, you see the version in file:///usr/share/doc/tails/website/ which is what should happen. Nice!

October 23, 2019

Permalink

Using TB9 without tor seems to be impossible. I set use_nontor_proxy = true, proxy.type = 0, but pages won't load. Is it a bug or TB just dropped support for nontor setups? Please, say it's a bug.

October 24, 2019

In reply to gk

Permalink

The preferences are still there, it doesn't work as expected though:
extensions.torlauncher.start_tor false
network.proxy.socks_remote_dns false
network.proxy.type 0
use_nontor_proxy = true
proxy.type = 0

works fine - until restart. Restarting Tor Browser will inevitably reset 2+3 in about:config for some reason.

October 23, 2019

Permalink

Small bug with the Russian version: The country names in the circuit overview are not localized anymore, they now show up in English. Used to be translated.

October 23, 2019

Permalink

as always great work!
i like the new button for new session, makes it much easier and faster zu do it.

i still have a problem with google captachs. i do them, but it still says it's wrong. help please!

> google captachs. i do them, but it still says it's wrong.

When I find sites like those, I just don't use those sites. No access = no patronage or clicks from me. Find and promote competitors of theirs who accept (and better yet, support) Tor. Here are some ISPs and hosting companies, too.

Website administrators should also learn that many other captcha methods exist that do not break their site through Tor.

October 23, 2019

Permalink

Something broke up since Tor Browser 8.5. In 8.5, I launch "D:\Tor Browser\Browser\firefox.exe" -osint and have ability to open links in new tabs of tor browser by clicking to them from other app (thunderbird).
Now with 9.0 release it looks like "-osint" option disappeared - tor browser doesn't even start from shortcut when it has this option specified!

here are the strings I have in registry:

[HKEY_CURRENT_USER\SOFTWARE\Tor Browser\Capabilities]
"ApplicationDescription"="Tor Browser"
"ApplicationIcon"="D:\\Tor Browser\\Browser\\firefox.exe,0"
"ApplicationName"="Tor Browser"

[HKEY_CURRENT_USER\SOFTWARE\Tor Browser\Capabilities\FileAssociations]
".htm"="TorBrowserURL"
".html"="TorBrowserURL"
".shtml"="TorBrowserURL"
".xht"="TorBrowserURL"
".xhtml"="TorBrowserURL"
".pdf"="TorBrowserURL"

[HKEY_CURRENT_USER\SOFTWARE\Tor Browser\Capabilities\URLAssociations]
"ftp"="TorBrowserURL"
"http"="TorBrowserURL"
"https"="TorBrowserURL"

; Register to Default Programs

[HKEY_CURRENT_USER\SOFTWARE\RegisteredApplications]
"Tor Browser"="Software\\Tor Browser\\Capabilities"

; TorBrowserURL HANDLER:

[HKEY_CURRENT_USER\Software\Classes\TorBrowserURL]
@="Tor Browser Document"
"FriendlyTypeName"="Tor Browser Document"

[HKEY_CURRENT_USER\Software\Classes\TorBrowserURL\shell]

[HKEY_CURRENT_USER\Software\Classes\TorBrowserURL\shell\open]

[HKEY_CURRENT_USER\Software\Classes\TorBrowserURL\shell\open\command]
@="\"D:\\Tor Browser\\Browser\\firefox.exe\" -osint -url \"%1\""

and, with Tor Browser 8.5 opening of links in new tabs of TB from other application worked OK. But now in 9.0 - it doesn't. It doesn't even start with -osint parameter!

osint is a Mozilla Firefox command line option. Tor Browser 8.5.5 was based on Firefox 60.9.0 ESR. Tor Browser 9.0 is based on Firefox 68.2.0 ESR. Browse Firefox's release notes to find what changed. I did a quick search and couldn't find osint.

Mozilla Support Forum:
can't open links from office 2016 or thunderbird
Why won't Links open from e-mail if Firefox is default browser

"Great" as in feeding the exact URLs you're currently browsing to a third party with a business model of surveillance capitalism which is literally what it's doing and not telling you up front? No thanks!

October 23, 2019

Permalink

new update has a strange border around all web pages. Anyway I can revert back to the previous version?

You might want to read up on the letterboxing feature first (see the above blog post): Then if you still want to revert that protection there is a preference you can flip: privacy.resistFingerprinting.letterboxing.

October 23, 2019

Permalink

Thank you Tor Project!

Am I no longer able to browse my LAN by excluding its IPv4 (CIDR form) from SOCKS requests?

How can I get back to surfing my LAN?

October 23, 2019

Permalink

Hello, since the update to version 9. 0 I have 403 forbidden errors.
Despite the addition of a rule in about/config or either the addition of a user-agent extension, nothing is done.
The same error occurs in version 9. 5a1.
Could you investigate, thank you in advance.

Best regards,

TorTue

November 01, 2019

In reply to gk

Permalink

I just encountered a "Bad Gateway" error when I tried to reload a page at another site. The notice gave an IPv6 address, which I do not know how to parse. Should the address stated in the notice correspond to a Tor exit node at the time of the incident? How can I check?

October 23, 2019

Permalink

I can understand some of the logic behind letterboxing as it's being used here. Making me scroll up and down, I'm used to that in order to see a long document.

But what is tragic on the UX front is hiding words on horizontal, so I have to scroll a little bit left and a little bit right just to see the content inside the letter box.

Is this the new default? Can't the width also be letterboxed, but not force me to scroll left and right just to read?

How snapping the width of the window such the inner letterbox never needs to act as a frame that masks the content?

> Can't the width also be letterboxed, but not force me to scroll left and right?

The width *is* letterboxed. You're describing a webpage that has not been coded with "responsive design" principles or was broken somehow. The formatting of the comments you're reading here on this blog, for example, is broken and ugly at the moment because of a security update to Drupal. Other times, raising Tor Browser's security level breaks some site's formatting because those sites depend on JavaScript or other technologies that allow invasive features, and TBB's higher security levels block those. Some sites contain HTML tables that restrict content to static widths that don't collapse gracefully when you decrease the browser's (any browser's) window width. Your issue exists in various forms across all browsers. In most cases, it's the fault of whoever designed the web page.

October 23, 2019

Permalink

Every previous version worked (on Win 7 64bit), but this one immediately pops up api-ms-win-crt-runtime-l1-1-0.dll is missing on launch.

October 23, 2019

Permalink

api-ms-win-crt-runtime-l1-1-0.dll is missing, so it won't start. This is part of visual C++ library, an optional OS addition. Why would tor assume everybody opted to have it installed? Tor didn't need it before, nor does Firefox require it. It just seems like an odd choice for a stand-alone security program that people often need to run from various PCs (e.g. library PCs) to call upon a dependency that wasn't included by default and many opted to not install.

You need to update your Windows to have the latest security updates. The .dll missing got shipped a while back with one of such updates. I think an up-to-date operating system is not an unreasonable assumption to have and build software upon.

October 24, 2019

In reply to gk

Permalink

I think it is unreasonable. Not everybody applies every update, such as public libraries, work computers etc. And even if they do, they often block them. If all applications they use (and want to run) work, why would they update the C++ library to accommodate 3rd party apps they don't even want to run on their computers? Loads of computers will never have the optional C++ libraries referenced by tor. Why needlessly limit tor to a subset of computers by referencing optional external libraries?

October 24, 2019

In reply to gk

Permalink

I have to agree with gk here. IMO, if your workplace, your library, your friends, etc, are not keeping software up to date, you need to complain to them, not to Tor Project.

Rule one of cyberprivacy: keep your system secure.

Rule one of cybersecurity: keep your system up to date.

Keeping a system up to date IS NOT the same as applying all updates and keeping them all enabled. Secure up to date machines commonly don't opt to have the visual C++ libraries enabled because doing so doesn't provide any additional security while allowing for more 3rd party apps, including malicious apps, to run and have easier access to the system, which also allows more buggy amateur programs to run and do unintentional damage. In short, an up to date machine with C++ disabled is far more secure.

October 27, 2019

In reply to gk

Permalink

THEY ARE APPLYING UPDATES! There's a HUGE difference between keeping systems updated and opting in, or leaving enabled, EVERY UPDATE. How is this confusing you?

Their systems are up to date. They just don't have any Visual C++ redistributes, including other non-essential components. Having them enabled doesn't make your system any more secure. In fact, visual C++ only serves to compromise your system by exposing it to a much larger number of apps written by lazy, malicious or inexperienced programmers.

> How is this confusing you?

Assuming you are addressing me (not a TP coder) rather than gk, could this be a Window vs Linux thing? I use Debian so I might misunderstand how Windows or Mac users upgrade their systems.

Yes, outdated. A couple comments sounded like they are on Vista or XP. I hope not. Your instructions are a joke. This thread is about the .dll. "Copy all different" from Mozilla mainline folder into Tor ESR folder has high probability of causing errors rather than fixing.

October 23, 2019

Permalink

It's good TBB is using new features Mozilla is offering.
BUT, the vanilla Firefox is going more and more the bugging me way.

Example: TBB 9.0 sets extensions.webextensions.ExtensionStorageIDB.enabled;false. Good.
FirefoxESR vanilla extensions.webextensions.ExtensionStorageIDB.enabled is true.
With extensions.webextensions.ExtensionStorageIDB.enabled:true the
privacy affined user cannot easily delete the storage-dir without ....annoying side effects because,
suddenly, the storage dir is the new browser-extension-data dir. What The Fuck is going on?
Why Mozilla is doing this?

October 23, 2019

Permalink

Can you - or mozilla(-: - bring back "Choose what you see when you open your homepage"(Home button) in 'Options', working like before?
Easy with TBB8.5.5, lilbit tricky with 9.0(not without about:config) -no editing without custom in ALL windows/tabs.

October 23, 2019

Permalink

All facebook's videos (facebookcorewwwi.onion) will not play. I'm using OS X 10.9.5. After downgrading to 8.5.5, all is well again.

October 23, 2019

Permalink

context menu behaves different. it is this option > ui.context_menus.after_mouseup;true

October 24, 2019

Permalink

The user interface is a bit slicker, with new identity possible with just one mouse click. :-)
Is it possible to globally block canvas data extraction, or have that ability added in future versions?
It's annoying to have to block canvas extraction for every second website I visit.

November 01, 2019

In reply to gk

Permalink

A blog about how to use sandboxing properly as a TB users (e.g. where to store downloads and why doing it right can help keep you safer) would be very useful I think. I have used TB almost from the beginning but am not confident I know how to use the sandboxing features correctly.

October 24, 2019

Permalink

Danger! TOR BROWSER version 9.0 Android -9.* ALPHA Android.

A vulnerability in the Tor Browser (Android) - version 9.0 / 9.*.* (alpha)

The problem description concerns Tor Browser version 9.0 / 9.*.* (alpha) for Android operating system!
The reason for the vulnerability: - after clearing the cache online, cookies and other identification data remain in the browser.

Detailed description of the actions performed and the presence of the problem:
I do not make any changes to the settings, I do not use add-ons.
Using a clean browser
After clearing the cache from the browser menu, necessarily change the tor ID.
And under such conditions, the result is sad.

My action:

1) launch Tor Browser
2) on the main page about:tor in the "address input field" window, I register the site address
3) click, activate the link
4) the site page opens
5) enter login and password
6) click, for the authorization process.
7) the page is reloaded, authorization occurs
8) I make any actions necessary for me on the site under my login and password.
9) the site page is open, do not click (do not click) on the exit button - do not touch anything.
10) click, browser menu
11) I go to the browser settings menu, click: "clear private data"
12) browser reports: "personal data deleted"
13) close the browser menu
14) in the opened main browser window (about: tor) in the address input field, I register the address of the site where I just was.
15) click
16) the site page is loaded and opened
17) I see on the opened main page of the site that I am authorized and online!
18) I click for example: on the link to enter the personal account, and freely enter without entering the login and password, I can perform any actions without authorization.

THIS IS A SIGN THAT PERSONAL IDENTIFICATION DATA HAS BEEN STORED IN THE CACHE AFTER CLEANING! A SIMILAR PROBLEM is PRESENT IN all versions of Firefox, Tor Browser, IceCat WHEN USING "PRIVATE MODE". IN" PRIVATE MODE " THE BROWSER CACHE IS NOT CLEARED, PERSONAL IDENTIFICATION DATA REMAINS IN IT UNTIL THE BROWSER IS CLOSED. ONLY AFTER CLOSING THE PROGRAM WILL THE CACHE BE CLEARED COMPLETELY. THEREFORE, DO NOT USE "PRIVATE MODE".
To FIX the PROBLEM, you need to BLOCK the AUTOMATIC link TRANSITION to the "PRIVATE MODE" (browser.privatebrowsing.autostart; false )
IN TOR BROWSER VERSIONS 9.0-9.*.* (alpha) ANDROID this ISSUE CANNOT be RESOLVED.

I do not recommend using version 9.0 / 9.* - (alpha).

USE TOR BROWSER VERSION 8.5.6 (ANDROID) IT HAS THE ABILITY TO FIX THIS PROBLEM.
In the about:config SETTINGS, FIND: browser.privatebrowsing.autostart SET TO; false (browser.privatebrowsing.autostart; false )

Опасность! TOR BROWSER версий 9.0 андроид -9.*ALPHA андроид.

Уязвимость в Tor Browser (андроид) - версий 9.0 / 9.*.* (alpha)

Описание проблемы касается Tor Browser версий 9.0 / 9.*.* (alpha) для операционной системы андроид!
Причина уязвимости: - после очистки кеша онлайн, в браузере остаются файлы куки и прочие идентификационные данные.

Подробное описание совершаемых действий и присутствие проблемы:
Никаких изменений настроек не совершаю, не использую дополнения.
Пользуясь чистым браузером
После очистки кеша из меню браузера, в обязательном порядке меняю идентификатор TOR.
И при таких условиях результат печальный.

Мои действия:

1) запускаю Tor Browser
2) на главной странице about:tor в окне "поле ввода адреса" прописываю адрес сайта
3) кликаю, активирую ссылку
4) открывается страница сайта
5) ввожу логин и пароль
6) кликаю, для процесса авторизации.
7) страница перезагружается, происходит авторизация
8) совершаю любые необходимые мне действия на сайте под своим логином и паролем.
9) страница сайта открыта, не кликаю (не нажимаю) на кнопку выход - ничего не трогаю.
10) кликаю, меню браузера
11) вхожу в меню настроек браузера, нажимаю: "clear private data"
12) браузер сообщает: "личные данные удалены"
13) закрываю меню браузера
14) в открывшемся главном окне браузера (about:tor) в поле ввода адреса вторично прописываю адрес сайта где только что был.
15) кликаю
16) загружается и открывается страница сайта
17) вижу на открывшейся главной странице сайта, что я авторизован и нахожусь в онлайне!
18) кликаю например: на ссылку входа в личный кабинет, и беспрепятственно вхожу не вводя логин и пароль, могу совершать любые действия без прохождения авторизации.

ЭТО ПРИЗНАК, ЧТО В КЕШЕ СОХРАНИЛИСЬ ЛИЧНЫЕ ИДЕНТИФИКАЦИОННЫЕ ДАННЫЕ ПОСЛЕ ОЧИСТКИ! АНАЛОГИЧНАЯ ПРОБЛЕМА ПРИСУТСТВУЕТ ВО ВСЕХ ВЕРСИЯХ Firefox, Tor Browser, IceCat ПРИ ИСПОЛЬЗОВАНИИ "ПРИВАТНОГО РЕЖИМА". В "ПРИВАТНОМ РЕЖИМЕ" КЕШ БРАУЗЕРА НЕ ОЧИЩАЕТСЯ, В НЁМ ОСТАЮТСЯ ЛИЧНЫЕ ИДЕНТИФИКАЦИОННЫЕ ДАННЫЕ ДО ЗАКРЫТИЯ БРАУЗЕРА. ТОЛЬКО ПОСЛЕ ЗАКРЫТИЯ ПРОГРАММЫ КЕШ БУДЕТ ОЧИЩЕН ПОЛНОСТЬЮ. ПОЭТОМУ НЕ ИСПОЛЬЗУЙТЕ "ПРИВАТНЫЙ РЕЖИМ".
ДЛЯ УСТРАНЕНИЯ ПРОБЛЕМЫ НЕОБХОДИМО ЗАБЛОКИРОВАТЬ АВТОМАТИЧЕСКИЙ ПЕРЕХОД ПО ССЫЛКЕ В "ПРИВАТНЫЙ РЕЖИМ" ( browser.privatebrowsing.autostart ; false )
В ВЕРСИЯХ TOR BROWSER 9.0 - 9.*.* (alpha) ANDROID УСТРАНИТЬ ДАННУЮ ПРОБЛЕМУ НЕВОЗМОЖНО.

Не рекомендую использовать версии 9.0 / 9.* -(alpha).

ИСПОЛЬЗУЙТЕ TOR BROWSER ВЕРСИИ 8.5.6 (ANDROID) В НЕМ ЕСТЬ ВОЗМОЖНОСТЬ УСТАНИТЬ ДАННУЮ ПРОБЛЕМУ.
В НАСТРОЙКАХ about:config НАЙДИТЕ ПУНКТ: browser.privatebrowsing.autostart УСТАНОВИТЕ ЗНАЧЕНИЕ; false ( browser.privatebrowsing.autostart ; false )

October 24, 2019

Permalink

Hi, since i download the new version (3 days ago), i cannot open Tor now. I use an other computer with a old version, but i loose everythink i had in may page. A window opens and say :
" firefox.exe - System Error
api-ms-win-crt-convert-l1-1-0.dll is missing from your computer? try reinstalling the program to fix the problem. "

I did it but it's a new page. How can i get my page again (whith all my bookmarks ? Sorry for my poor english.

October 24, 2019

In reply to gk

Permalink

Previously when you said it was going away I was upset, but I simply misunderstood what you meant. So FWIW, one previously unhappy user is glad to see that button go.

Old versions are here:
https://archive.torproject.org/tor-package-archive/torbrowser/8.5.5/
But it will immediately attempt to update, so you have to quickly disable your network connection and turn off automatic updates in Preferences. Do not overwrite the version you're using now. Install it in a different folder or completely delete the version you're using now. Old versions are not recommended for normal usage and do not receive security patches. Use them at your own risk.

October 24, 2019

Permalink

Hi there!
I updated TBB to last version 9...

After that, many locked prefs in my mozilla.cfg I've made are ignored.

Before version 9 in TBB, no problems.

How can I fix that?

Please help, thanks!

October 24, 2019

Permalink

- TorService is shutting down
- Orbot is deactivated
- updating settings in Tor service
- updating torrc custom configuration...
- success.
- checking binary version: 0.4.1.5-rc-openssl1.0.2p
- Orbot is starting…
- Connecting to control port: 38327
- Connecting to control port: 39793
- SUCCESS connected to Tor control port.
- SUCCESS - authenticated tor control port.
- Took ownership of tor control port.
- adding control port event handler
- SUCCESS added control port event handler
- NOTICE: Opening Socks listener on 127.0.0.1:9150
- NOTICE: Opened Socks listener on 127.0.0.1:9150
- NOTICE: Opening DNS listener on 127.0.0.1:5400
- NOTICE: Opened DNS listener on 127.0.0.1:5400
- NOTICE: Opening Transparent pf/netfilter listener on 127.0.0.1:9140
- NOTICE: Opened Transparent pf/netfilter listener on 127.0.0.1:9140
- NOTICE: Opening HTTP tunnel listener on 127.0.0.1:8218
- NOTICE: Opened HTTP tunnel listener on 127.0.0.1:8218
- Starting Tor client… complete.
- WARN: Managed proxy at '/data/app/org.torproject.torbrowser-3z0YituDxSAMCEVO8PCYTQ==/lib/arm64/libObfs4proxy.so' reported: error: "/data/app/org.torproject.torbrowser-3z0YituDxSAMCEVO8PCYTQ==/lib/arm64/libObfs4proxy.so": executable's TLS segment is underaligned: alignment is 8, needs to be at least 64 for ARM64 Bionic
- WARN: Pluggable Transport process terminated with status code 6

October 25, 2019

In reply to gk

Permalink

Just wanted to add that while these sites can provide good information for non-Tor browsers, they are not designed with the special needs of Tor users in mind, so many of the things you see there may be technically true, but also seriously misleading in the context of using Tor Browser.

October 24, 2019

Permalink

ok, I hope you will forgive me for not reading 6+ pages of comments bc yolo

How does it launch when you run a local tor client? This used to work without additional config: local tor client + TB

Now it segfaults when launching TB.
If I run TB exec binary it does not segfault--but then it shows Tor Launcher and "cannot find tor client"/"waiting for tor client" thus never loading browser.

is it a bug/reported?

October 24, 2019

Permalink

[Moderator: please allow some more OT praise for Tails 4.0]

The blog post about Tails 4.0 does not allow comments, but I'd like to point out some more features which are working great:

o Tails starts noticeably faster and shuts down faster on laptops and desktops

o gedit working fine

o LibreOffice starts instantly instead of taking a minute to start

o Configuring a laserprinter in Tails 4.0 is a bit different but works fine

The best way to thank the developers (reward success!) follows :-)

https://tails.boum.org/donate/?r=home
https://donate.torproject.org/

(I have no affiliation with either Project other than as a user.)

October 24, 2019

Permalink

Hi, I would like to have back the previous version. Could someone indicate the link (to old versions) where I can download this (before this 9.0)? Thanks.

October 24, 2019

Permalink

> Bug 31740: Remove some unnecessary RemoteSettings instances
> Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
> ...
> Bug 31979: TOPL: Sort dependency list
> Bug 30665: Remove unnecessary build patches for Firefox

Never have so few done so much for so many. You have the thanks of a grateful world.

And soon, dare I hope, individual donations from same! :-)

October 24, 2019

Permalink

I figured out the problem with running a local tor client: the segfault was not a bug but instead a subtlety of abicheck that would not impact default config.

The issue with TB 9 is: no way to setup user prefs from tor launcher stage. Instead you must create user.js and place it in profile.default to apply the required preferences and continue TB9 startup past tor launcher, and TB9 needs to be launched specifying control port password.

People like you who go out of their way install a privacy browser but then set uniquely trackable dimensions for the window and disregarded the yellow warning for superficial aesthetic reasons are precisely who letterboxing was invented to help in the first place. Do you have some ideas on how to make letterboxing better so you would not disable it?

October 24, 2019

Permalink

Tor 9.0 (Win64) setup file is infected with the virus Win64:Evo-gen. More specifically the file nssdbm3.dll, which belongs to its package of installation. Moreover also I returned to the 8.5 old-version Tor because this 9.0 release no more offer privacy (block) on cookies during the session.

The virus alert is very likely a false positive by your antirvirus product. Regarding your second point: there is no need to downgrade to an unsupported and vulnerable Tor Browser. You can adjust the cookie preferenences on about:config by setting the respective value for network.cookie.cookieBehavior. Possible values (among others) can be found at: http://kb.mozillazine.org/Network.cookie.cookieBehavior.

October 24, 2019

Permalink

New the "Verifying Signatures" docs are missing a critical piece of information that used to be present in the old docs - the OUTPUT. I.e. the fingerprints. People can no longer check the fingerprints spit out by gpg against those in your "verifying signatures" section because there aren't any. Why would someone remove that?

> People can no longer check the fingerprints spit out by gpg against those in your "verifying signatures" section because there aren't any.

It is true that gpgv does not display fingerprints:
gpgv: invalid option "--fingerprint"
gpgv: invalid option "--with-fingerprint"

However, according to Tor Project's guide:
"After importing the key, you can save it to a file (identifying it by fingerprint here):"
gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

That step is how to check the fingerprint. In that command, you type or paste the fingerprint of the key that you expect was used to sign the file. gpg searches its default keyring for that fingerprint, and if gpg finds the matching key, it outputs the key to the file ./tor.keyring. The next command passes that file containing either only the matching key or nothing at all to gpgv.

I admit it is a roundabout procedure compared to the usual way of calling gpg directly. Steps were changed (ticket #31296) after widespread certificate signature flooding attacks. I assume Tor Project chose gpgv in hopes it would reduce confusion or mistakes for newbies, but I don't understand why. Everything can be done with gpg alone, and it allows greater flexibility. Only one step involves gpgv. Substituting gpg for that step (replace FILE with your file):
gpg --no-default-keyring --keyring ./tor.keyring --verify FILE.asc FILE

Or to force displaying long keyIDs and fingerprints:
gpg --keyid-format 0xlong --fingerprint --no-default-keyring --keyring ./tor.keyring --verify FILE.asc FILE

October 24, 2019

Permalink

I'm shocked at the proportion of comments asking to disable letterboxing. If it were only a few, their choice would basically impact themselves, but if the large proportion here is representative of the whole, then they are impacting the other users who are trying to use Tor Browser as advertised to blend in and maintain privacy. Is this proportion accurately representative of how many users were maximizing their browsers before letterboxing was released and we just didn't know? FP Central and TorZillaPrint are suddenly much more valuable.

Are there certain default newly-opened window dimensions that result in a letterboxed content area? Could it be that some complaints are because of a default letterboxed layout?

Many have complained about its color. It sounds to me as if many complaints are related to watching videos. Traditional letterboxing is black after all, and I remember an old comment talking about Mozilla going back and forth about grey backgrounds when displaying a single image. It's in the blog post about Tor Browser 9.0a4, the alpha that first enabled letterboxing. Many other comments under that post are helpful. Gk's question at that time is more important than ever: "Do you have some ideas on how we could make letterboxing better so you would not disable it?"

In hindsight, I think the yellow warning bar should not have been removed and actually be replaced until users have time to become accustomed to letterboxing. The text on it could have been amended with an explanation of the new letterboxing feature they are seeing. An introduction is especially important because they don't see letterboxing in other browsers by default.

> I'm shocked at the proportion of comments asking to disable letterboxing.

Me too, particularly since I was calling loudly for this feature in comments in previous threads.

> If it were only a few, their choice would basically impact themselves, but if the large proportion here is representative of the whole, then they are impacting the other users who are trying to use Tor Browser as advertised to blend in and maintain privacy.

I had the same thought just before I saw your comment!

> Is this proportion accurately representative of how many users were maximizing their browsers before letterboxing was released and we just didn't know?

I've been wondering about that too.

I think the concern about weird and possibly unwise "customization" by some (many?) TB users possibly harming other TB users is going to be very difficult to assess, much less to mitigate. Nonetheless it is important and deserves discussion.

In some of the other comments in this thread, I saw users mentioning

o being forced (?) to use computers which are not being updated,

o needing to use accessibility features (e.g. for visually impaired users)

o preferences for various browser extensions and plug-ins

o needing to use Tor to log in to various websites

While this is hard to quantify except in very general terms, it seems clear enough that the population of Tor users is very diverse, and while this would be very desirable if everyone could use TB the same way, that is obviously very far from being true. While we who want to keep ourselves and our friends and family safe(r) could try to argue with other users that cybersecurity and privacy and anonymity are too important to be thoughtlessly endangered simply to use some cute but not truly needed app or extension, we certainly do not want to turn away people who suffer from vision or hearing problems.

Nor, perhaps, do we want to make it hard for daring users to explore using Tor in ways the developers have not anticipated, because someone somewhere just might discover something that converts Tor into the Next Great Thing which suddenly everyone in the world decides they simply gotta have. Which would be great if it did not hopelessly clog the Tor network through a sudden surge in global Tor traffic for which the network is not prepared.

One reason why it is important to start thinking about these issues now is that as the Tor network continues to grow, as it must in order to have any hope of keeping anyone safe(r), the diversity of ways in which people use Tor in ways which are not and cannot be anticipated by the developers is sure to increase.

So how can we try to ensure that the coming explosion in user diversity will not do more harm than good to those endangered people who need Tor most?

> So how can we try to ensure that the coming explosion in user diversity will not do more harm than good?

Looking back, users had mixed feelings in the wake of hiding certain things in the main UI in favor of about:config, but most people grew to understand it was a good move toward their shared goals.

I think so too. Probably on the technical side Tor has never been so strong.

It is frustrating to see some reporters (not the most knowledgeable ones) still characterize Tor as "notoriously unreliable software", and that Tor Project never points potential users to articles such as the fairly recent one (in Wired) by Lily Hay Newman advising Internet denizens that there has never been a better time to try Tor.

Regular readers of Ars Technica have no doubt noticed how a veteran reporter, Sean Gallagher, has been seduced by a clever USG cyberwarrior PR offensive, well tailored to his personal background, into making bad judgments (uncritical promulgation of what US military cyberwarrior propaganda). It is unfortunate that Tor Project is not fighting back in the media, because we are all targets of the cyberwarriors.

I believe that currently the most dangerous threats from USG to TP--- despite such alarming incidents as the CMU SEI scandal and the abortive CIA infiltration of TP-- are political, not technical.

October 25, 2019

Permalink

Hey Tor volunteers I just want to say that compared to the last major upgrade this one gave me no regressions or unpleasant surprises and I'm enjoying the improved performance of Firefox 68 (plus the letterboxing anti-fingerprint feature) that I'd been looking forward to for a long time. Great job.

October 25, 2019

Permalink

Can I extract this Tbb xz package to the old directory and overwritten most of the old Tbb? After that the bookmark still there?

That's not recommended as it might break your setup in subtle ways. What you could do is backup your bookmarks in your bookmarks menu in your old browser and import them back via the same menu in your new browser.

October 25, 2019

Permalink

Since TBB on version 9, many entries which I had set on
lockPref - false are ignored in my mozilla.cfg. The are all on default - true :-/

...in the folder /defaults/pref/auto-config.js

I set:
//
pref("general.config.filename", "mozilla.cfg");
pref("general.config.obscure_value", 0);

pref("general.config.sandbox_enabled", 0);
pref("media.cubeb.sandbox", false);

That brings me back a lot lockPref settings in my mozilla.cfg, but not all.

What is that? Any idea?

I want it back and have control over that.

October 25, 2019

Permalink

I'm extremely grateful to everyone who made the Letterboxing feature available in Tor. I sometimes had to use other broswers just because the side bar (which I needed) kept giving away my browser size.
The usefulness of Tor Browser has reached a level I didn't even think was possible.
Thank you all, I'll be donating soon!

> the side bar (which I needed) kept giving away my browser size.

Well, now the window can be stretched so that the sidebar is open AND the content area is snapped to the exact size (fingerprint) that the window had on new identity when the sidebar was closed. :party_emoji: Win-win!

> The usefulness of Tor Browser has reached a level I didn't even think was possible.

And if the US Congress does not make personal privacy/cybersecurity illegal (e.g. by making uncompromising cryptography illegal), personal privacy/cybersecurity products (hardware and software both) may get even better rather soon!

I had high hopes for Tor Messenger and hope that this project will somehow be resurrected, perhaps in partnership with Signal. Better integration with the latest OnionShare could also have transformative effects in how ordinary people use Tor to get the word out about what is happening where they live.

Another area where I see enormous potential is growing a privacy industry which provides simple devices which do one thing but do it well, such as Stingray detection, high quality entropy provision, or high quality time signals, all of which could be very helpful to protesters in Hong Kong or Santiago or ....

Some of these suggestions are more ambitious than others. If Tor Project can continue to move away from government funding toward grassroots user funding, we can achieve our goals of making a better world for future generations to inherit. Or at least, of bequeathing a planetary environment in which is is physically possible for humans to exist. Lack of fresh water, food, sanitation, dry land, deadly heat waves, rampaging wildfires, forever wars, and radioactive fallout all threaten that rather modest but obviously desirable goal.

October 25, 2019

Permalink

When using the available One-Click Search Engines field of TB 9.0 at a Debian 10.1 (buster, 64 bit) install, the submitted keywords for looking at the "Wikipedia (en)" engine aren't subsmitted to the real Wikipedia search engine. Instead, the search field at the Wikipedia site (https://en.wikipedia.org/wiki/Special:Search) stays empty and the intended Wikipedia search isn't performed at all.

One needs to re-enter the submitted Wikipedia search keyword at the site again to do so. I'm not sure this is a new bug or just another new security and privacy feature in the new TB 9.0 (because of the fact, I suppose, that those keywords usually are mentioned in the URL, which may cause HTML-referer leaks). The other pre-installed Default Search Engine profiles work as one might expect. I hope this observation may clear this issue.

October 25, 2019

Permalink

Hello. The latest Tor Browser for Android stable that uses 4.1.5 doesn't work for me on LineageOS 14.1. Same for just Orbot 4.1.5 by itself. Can you please notify the Guardianproject people about it?

I can't update until then.

October 28, 2019

In reply to gk

Permalink

None show up in the log pane, it gets stuck at SUCCESS for connecting to control port then nothing ever happens after that no matter how long I leave it.

It does reduce your anonymity, but not as much as before. The size is rounded to multiples of 100 so you are more likely to have the same size as someone else who's window also got rounded exactly to that size.

However the specific value combination still tells more about you then default size.

October 25, 2019

Permalink

re: letterboxing

Have not seen this suggested so far. I rarely maximize the screen except for video content now and then so .. what about making the letterbox come on only when the screen is maximized - just as the previous warning came on only when screen was maximized. That would be a good thing then - could still maximize when wanted and be protected - the rest of the time normal...

What about accidental maximizations or fullscreens? This is a source of anguish for those that care about anonymity and never change their window size. And what about reducing the uniformity for the rest?

Disabling letterboxing just for some specific deanonymizing use case so that we all stand out more is a bad idea.

I agree, but I do not think Tor Project or Mozilla are going to abandon letterboxing anytime soon, precisely because of the danger to ordinary people in "private browsing" mode which you cited.

October 25, 2019

Permalink

network.cookie.cookieBehavior... Really? No way this can't be serious as a common procedure. Cookies, as other tools, are used to gather information from users; and this information-data is sold literally for millions of dollars. When Tor decides to enforce users to accept (default option) and ignore the cookies, then all the trust founded in Tor privacy quickly starts to crumble till total collapse. By the way, don't expect also that most users will came to this place to warn or complain about. In fact mostly will not; instead they will just move on and forever away.

Not sure what you mean. The default option in Tor Browser (contrary to Firefox) is *not* to accept all cookies. We block any third-party cookie by default exactly to make the tracking by cookies across different domain impossible.

October 25, 2019

Permalink

The problem with letterboxing is that it's always white, even when I'm using dark mode with the "Dark Mode" extension. Which I wouldn't have to use if tor-browser didn't ignore color setting I have set under Language and Appearance.

October 25, 2019

Permalink

my virus total 360 blocks install of this saying "changes dll" is this normal??? i run it through virustotal.com and it comes up clean

October 26, 2019

Permalink

@ Anonymous, yes in about:config.

example I want all devtools prefs to false because I don't need it.

Or telemetry and so on.

I set in mozilla.cfg all devtools to false and locked them. Before update to version 9, no problems, works.
With version 9, many devtools prefs are ignored and I have moved them to user.js. That works.

Or this:

user_pref("devtools.onboarding.telemetry.logged", true);

I tested it and set in mozilla.cfg:
lockPref("devtools.onboarding.telemetry.logged", false);

Restarted TBB, no effect, was set to true again.

I put it in user.js
user_pref("devtools.onboarding.telemetry.logged", false);

Restarted TBB, no effect, was set to true again.

After that i set false in about:config to "devtools.onboarding.telemetry.logged"

No effect after restart of TBB with version 9.

I would be better I have 100% control over that and
change what ever I want.

Any idea to change it and prevent TBB to set it on true after restart TBB?

I can confirm that Tor Browser 9.0 is resetting some preference values, whether set via about:config or user.js.

I am using a separate bundle for the few cases that I need clearnet. In the past I disabled proxying and Tor launcher addon (and a couple other things like circuit display, update checks, tor check, etc. but this was not strictly necessary) mostly via user.js. So for a fresh bundle I simply placed user.js in the appropriate directory and changed a few other things within the browser itself. I did this once and the settings persisted through each future run.

With TB 9.0 I have to go to about:config and manually change the values each time I run this bundle because the settings are reset on each run. It is not the case that user.js is simply ignored but that some of the values are reset by some later code on startup.

November 01, 2019

In reply to gk

Permalink

These are the ones that get reset back to defaults:

  1. <br />
  2. user_pref("network.proxy.socks_remote_dns", false);<br />
  3. user_pref("network.proxy.type", 0);<br />

All other settings that I also modify via user.js don't get reset back to defaults.

Maybe it's related to Tor preferences not being accessible i.e. if I go to preferences and click on the Tor icon nothing appears or happens. For me this is not surprising at all since I also disable torlauncher.prompt_at_startup and torlauncher.start_tor, but maybe it confuses some piece of code into resetting those values above.

That is good as along as they have the same fingerprint on other devices as well. The problem is only if some fingerprint is specific for some device. If so, can you check which part of the reported fingerprint is specific for your device?

Also try using higher security levels as much as possible. "Safer" level is perfectly usable almost everywhere.

October 26, 2019

Permalink

Hi @ all!

Is it possible to disable the torlauncher.torrc_fixup?

I want use my own torrc file and the torrc fixup sometimes breaks my torrc file and replaces it with original torrc.

I am not sure what your problem is. Could you describe what you want to do? Why is it not enough to edit the torrc file (or create it if it's not there)? torrc-defaults gets indeed overwritten as the comment in it says.

October 26, 2019

Permalink

So now there are loads of users whose manually disabled letterbox setting will be comfortably forgotten and roll over through every update from now on. By not educating users about a new persistently visually-invasive feature, I think Tor Project fucked up the rollout of it.

October 26, 2019

Permalink

I still can't download images from tor android. Do you fix that problem in future updates?

October 26, 2019

Permalink

Hey so now that onion button is gone, what do I do to restart the connection - after I have (for reasons) manually killed torr.exe - without closing the browser and losing all the tabs like the new identity button?

October 28, 2019

In reply to gk

Permalink

Well previously I could get to the Tor Launcher window through the onion button. Pressing reconnect would restart torr.exe
After the update I couldnt figure out how to bring it up anymore (yes I'm a newb, but still an attempt was made).

The only way to restart it now is through the automatic popup prompt like so:
https://i.imgur.com/vZFTzlN.png

Are there any other ways?

It seems you are missing some updates on your Windows system because one of those updates did get you those missing .dlls. I'd suggest trying to fix your update situation on your computer, install all (the security) updates because otherwise Tor Browser might not give you the security and privacy guarantees it promises you.

October 26, 2019

Permalink

The option to not check for updates has been removed in the UI. What is the about:config option to disable automatic checking for updates? I like to update manually.

October 26, 2019

Permalink

It's a serious mistake to remove settings for users to (easily) control cookies. The "some sites require cookies to..." excuse is fairly lame.
If I go to a site that requires cookies - to work at all, then *I'll* decide to allow cookies, not have it decided for me.
Many sites say that, but don't really break if cookies aren't allowed (or parts I don't care about may break).

We did not remove the settings for having per-site decisions about cookie acceptance. That's still on your preferences section. What he hid was the Tracking Protection UI which includes general, global cookie settings (like general allowance, only first-party cookies etc.). You can do that change in your about:config now by adjusting network.cookie.cookieBehavior.

October 27, 2019

Permalink

i cant run tor browser after update because of the problem with the file:api-ms... can i download previous version?

It seems you are missing some updates on your Windows system because one of those updates did get you those missing .dlls. I'd suggest trying to fix your update situation on your computer, install all (the security) updates and then use Tor Browser 9 as older versions are having security holes in them, too.

October 27, 2019

Permalink

Surely this OT good news item is worthy of celebration in a new Tor Blog post: the BBC has launched an onion mirror:

bbcnewsv2vjtpsuy.onion

See also:

theregister.co.uk
Tor blimey, Auntie! BBC launches dedicated dark web mirror site
Censor-dodging news for those sat in ban-happy countries
Kat Hall
24 Oct 2019

October 28, 2019

Permalink

@ gk,

I tweaked my torrc file. It's working great. After some re-starts of TBB, it's re-created the torrc file and feigned it.

I want to stop this.
So I ask if it is possible to disable "torrc-fixup"?
Or set torrc path manual in about:config?

I am not convinced that the "torrc-fixup" is responsible for that. Could you give us some steps to reproduce your problem? In particular what does "it's re-created the torrc file and feigned it" mean?

October 28, 2019

Permalink

Letterboxing dimensions should be based on common desktop resolutions and window sizes in a maximized state, not arbitrary fixed increments. Every Windows user with a classic theme applied and a common resolution will have the same browser window size when maximized, letterboxing or not, so there's no reason to meddle with it. It should only be there for EDGE cases to protect people with unusual setups.

Letterboxing in its current state will motivate users to turn it off to recover screen real estate and further split anonymity pools, making it counter-productive.

There's already a proposal to spoof screen size with a few common resolutions: https://bugzilla.mozilla.org/show_bug.cgi?id=1591337

As for window size: if I understand you correctly you do not want to disable letterboxing in maximized state. Instead you want to use a different set of window sizes that the inner window "snaps" to. Currently this set is multiples of 100 and your idea is instead to use the sizes of maximized vanilla Firefox windows on a standard Windows system at common resolutions (so taking into account panels, window borders, toolbars, scrollbars, etc.). Meaning that, for example, a user running GNU/Linux with a non-maximized window will have letterboxing applied in a such a way that the size would equal a maximized vanilla Firefox window on a common Windows system with a common resolution.

That's an interesting idea. But it would work only as long as the resolution pool for the letterboxing to be based on is sufficiently large, for example at least third of the size of multiples-of-100 set. Otherwise you'd have windows with most of their screen estate wasted for letterboxing. It would also not work at smaller window sizes, unless you start pretending to be a smartphone or a small tablet (could use both landscape and portrait mode depending on window ratio).

I'm not proposing the fixed increments be totally done away with, but where we can identify majority viewport sizes, they should substitute for (one of) the neighboring multiples of 100. Since TB makes no attempt to conceal OS family, these hard-coded values can be OS family specific.

Let me try to explain with an example. Windows 10, 1920x1080 screen resolution, default theme, maximized. Firefox has an available viewport of 1920x932*. We would therefore replace 1900x900 with 1920x932, which would make the letterboxing feature completely invisible to those users when in a maximized state and gain them an extra 640 pixels, with no loss to privacy.

The percentage of such users who might otherwise be given a 1900x900 window size could be very high indeed. If they are persuaded not to turn off letterboxing, we would actually improve their (and everyone else in that resolution bin's) privacy.

Desktop environments on GNU/Linux are probably too heterogeneous for this to be worthwhile. Maybe something could be based on Tails.

BTW, horizontal and vertical scroll bar size can still be measured, even with letterboxing turned on. I'm not sure this can be fixed.

*Not real numbers

> BTW, horizontal and vertical scroll bar size can still be measured

That's a different issue and not related to screen/window directly. It shouldn't be hard to add some CSS mods to the firefox core to make all OS's use a static width. Want to help out -> https://trac.torproject.org/projects/tor/ticket/22137 ?

> Since TB makes no attempt to conceal OS family...

It is always planned, where possible, to obfuscate the OS. Let's not give away easy free entropy. Hopefully the issue with HTTP header UA vs navigator objects can get back to two OSes only when the blocker bug is done.

> these hard-coded values can be OS family specific

That would add complexity/upkeep and isn't a universal solution

> Windows 10, 1920x1080 screen resolution, default theme, maximized. Firefox has an available viewport of 1920x932 (made up numbers)

There is **no** such common inner window size: there are too many variables with the OS (DPI, taskbar heights-widths affect available screen) and Firefox chrome itself (insert list of 20 things here) that we can't control

Because screen metrics are tried to the inner window
- without letterboxing there are literally thousands of possible combinations of width/height, because w/h can increment by 1 pixel
- with letterboxing there are still lots: example on my 2560x1440 screen: staying over 600px width and height: I can get 10 different width steps and 8 different height steps = 80 combos
- zoom being tied to inner window, also affects the screen metrics: screen was never designed to have this happen to it

The problem is one of our own making, by tying screen to chrome. The real solution is to treat screen vs chrome as different threat models, and treat them accordingly: especially as screen is all that FPing scripts in the wild go for, because they crave stability. Letterboxing would still protect chrome metrics

Desktop environments on GNU/Linux are probably too heterogeneous for this to be worthwhile. Maybe something could be based on Tails.

But why not base letterboxing in all other releases on Windows as well? The User-Agent HTTP header is set to Windows in all releases after all.

I think there is much bigger potential here than just satisfying users who maximize their windows. Instead make all users at all window sizes on all OSs pretend to run a maximized vanilla Firefox on a standard Windows desktop at some standard resolution. So to completely replace the current multiples-of-100 set with something that is very common outside of TBB userbase.

Most people use Windows, some of them use Firefox, most of them maximize their browsers, and almost all of them use standard resolutions. So why not use their really existing inner window sizes for letterboxing in TBB?

October 28, 2019

Permalink

Ehm, new tor browser behavior in tor log:

10/xx/19, xx:xx:xx.xxx [WARN] Error replacing "X:xxxxxx\TorBrowser\Data\Tor\torrc": Permission denied

October 31, 2019

In reply to gk

Permalink

"[...]X:xxxxxx\TorBrowser\Data\Tor\torrc": Permission denied"

On MSWin7, the last privacycompatibe MSWindows-version, with blocked
write in file attribute(file->right-click).

November 02, 2019

In reply to gk

Permalink

"[...]causing this file to be read-only?"

Intentionally. Tor shouldn't try to replace torrc when i don't want this?

October 29, 2019

Permalink

Add letterboxing options, it being white only is so obnoxious if you cant disable it at least allow different color options.

October 30, 2019

Permalink

First of all, thanks for the work on this awesome project, until now I had nothing to complain, but this update make this browser unusable for me.

The main reason is content blocking:

Request to access cookie or storage on [URL] was blocked because we are blocking all third-party storage access requests and content blocking is enabled.

The console is full of this messages, many websites as well as my userscrpts just don’t work anymore. I tried to change some settings in about:config without success.
How do I disable content blocking?

That is interesting as we are actually not using any Content Blocking functionality that goes beyond the third-party cookie blocking that we already used in Tor Browser versions before 9.0. Do you have an example of what breaks in 9.0 for you but worked in 8.5.5? We should figure out what is actually different after moving to the new Firefox version and then think about how we might fix your issue.

November 01, 2019

In reply to gk

Permalink

I've been noticing new things which I guess are due to interactions between exit nodes and destination websites, or rather with Cloudflare. I have not been sufficiently systematic to note anything reportable, however.

many websites don't load properly, e.g. xhamster.com, spankbang.com. changing circuits multiple times helps.
go there and read the console output. some examples of a bunch of messages in the console:
Loading failed for the with source “https://static-cl.xhcdn.com/xh-tpl3/js/locales/en/f4cba465.common.js”. xhamster.com:176:1
Loading failed for the with source “https://static-cl.xhcdn.com/xh-tpl3/js/a9a46a50.common.js”. xhamster.com:177:1
Loading failed for the with source “https://static-cl.xhcdn.com/xh-tpl3/js/locales/en/4408a10b.header.js”. xhamster.com:178:1
Loading failed for the with source “https://static-cl.xhcdn.com/xh-tpl3/js/630a0746.header.js”. xhamster.com:179:1
Loading failed for the with source “https://static-cl.xhcdn.com/xh-tpl3/js/locales/en/4528e8ec.index.js”. xhamster.com:180:1
Loading failed for the with source “https://static-cl.xhcdn.com/xh-tpl3/js/33620aa0.index.js”. xhamster.com:181:1
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 2 xhamster.com:104:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://static-cl.xhcdn.com/xh-tpl3/js/locales/en/f4cba465.common.js (“script-src”). 2
Request to access cookie or storage on “https://static-cl.xhcdn.com/xh-tpl3/css/8135637a.critical-index.css” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. xhamster.com
Request to access cookie or storage on “https://static-cl.xhcdn.com/xh-tpl3/css/93efaf71.index.css” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. xhamster.com

thumb file exists but is not displayed:
Request to access cookie or storage on “https://thumb-v-cl2.xhcdn.com/a/9xHi0hR3t5s-AdxXGbLPbg/012/631/594/240x135.2.jpg” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. xhamster.com

changing cookie behavior or storage options in about:config does not help.

October 31, 2019

Permalink

Скажите, как в for сохранять изображения если это возможно вообще. Я пользуюсь в основном с Android. Спасибо.

November 02, 2019

Permalink

Question/bug report regarding One-Click Search Engines (OCSE)

After updating to 9.0 using "Wikipedia (en)" OCSE always returns
"https://en.wikipedia.org/wiki/Special:Search".

So, for example, typing "tor" into the address bar and clicking Wiki icon under "Search for tor with: " gets me on
"https://en.wikipedia.org/wiki/Special:Search"
instead of:
"https://en.wikipedia.org/wiki/Tor".

Is this normal in 9.0?
Thanks for any help.

November 03, 2019

Permalink

Is there any way to disable the tor client in TB4A and make it use orbot? It's kind of annoying having to wait for it to bootstrap every time I restart the browser. Also probably better to use one set of guards. BTW, great work! Much improved and no complaints here!

November 03, 2019

Permalink

Torbrowser is phoning home regularly to aus1.torproject.org.
Have try to switch it off but it don't do.
Especially when you open about:preferences(Options).
Visible in Browser Console, sometimes in about:networking, and others.

That's new and suspicious.

aus1.torproject.org is the updates server. The browser is checking if a new version is available. This is nothing new, it has been like this since Tor Browser started including an internal updater, several years ago.

November 04, 2019

Permalink

Hello Torproject,
Torbrowser inherits a very whatthefuck from mozilla.
Everytime you open the configmenue the browser phones to
you, torproject. The vanilla Firefox to mozilla Corp. .
No setting to switch it off. .....Really?

Whats going on?

November 12, 2019

Permalink

I have windows 7 but latest tor update isn't working, "api-ms-win-ctr-convert-1|-1-0.dll is missing, despite I downloaded it and put it in the right folder, tor doesn't work. What a disgrace, I was really happy with the earlier version.

November 16, 2019

Permalink

How in hell I change/put proxy now when there's no "internet settings" from tor button anymore? It was so easy to do that before, why that was changed???

November 18, 2019

Permalink

Thank you team for everything you do. All your private time and dedication. Appreciation from the continent of Africa!

November 24, 2019

Permalink

Hi, Im trying to get my Tor browser working but it keeos giving me an error api-ms-win-core-timezone[1-1-0.dll missing
iv tried downloading the dll files and it just creates a new error with another dll needed for download.

Please advise

December 10, 2019

Permalink

When going to full screen my latest installs don't tell me not to. Is this right or do I have a dodgy download? Thanks