New Release: Tor Browser 9.0.7
Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our distribution directory.
This release features important security updates to Tor.
This release updates Tor to 0.4.2.7 and NoScript to 11.0.19.
In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:
- Open about:config
- Search for: javascript.enabled
- The "Value" column should show "false"
- Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.
We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.
In addition, HTTPS-Everywhere version 2020.3.16 supports a new mode of operation named EASE (Encrypt All Sites Eligible). Tor Browser users should not enable this feature. This new mode allows for adding per-site exceptions (whitelisting), however adding per-site exceptions may increase a user's uniqueness while using Tor Browser. When EASE mode is enabled, the whitelisting feature does not always work correctly, as well. We decided against downgrading the included https-everywhere version.
The full changelog since Tor Browser 9.0.6 is:
- All Platforms
- Bump NoScript to 11.0.19
- Bump Https-Everywhere to 2020.3.16
- Bug 33613: Disable Javascript on Safest security level
- Windows + OS X + Linux
- Bump Tor to 0.4.2.7
Update 2020-03-25: Added Https-Everywhere upgrade in ChangeLog and message about EASE mode.
Comments
Please note that the comment area below has been archived.
When will tor release…
When will tor release snowflake??
Snowflake is available in…
Snowflake is available in the alpha series for now. I don't know when it will be in the stable series.
Hello world
Hello world
It is still 9.06 on download…
It is still 9.06 on download page, just to let you know.
Thanks, this is now fixed.
Thanks, this is now fixed.
Oh yeah, one more thing, the…
Oh yeah, one more thing, the search suggestions are showing up in addres bar when you type the website, even if you dont have that option enabled.
"Search suggestions" are…
"Search suggestions" are those queried from web-based "search engines" and are disabled by default in Tor Browser. The address bar in Firefox autocompletes what you type based on your recent history, tabs, and bookmarks saved in the browser on your device, locally. (Tor Browser is based on Firefox ESR.)
https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox
Ehh, all downloads on the…
Ehh, all downloads on the Tor Browser download page are still only version 9.0.6.
How come so sloppy?
Thanks, this is now fixed.
Thanks, this is now fixed.
Hello! Updating Tor Browser…
Hello! Updating Tor Browser for android-9.0.6-arm7 to Tor Browser for android-9.0.7-arm7 is not possible for unknown reasons! The Android device refuses to update. The new version of Tor Browser for android 9.0.7 is not installed. Why?
Hmm, it went fine for me…
Hmm, it went fine for me. Did you try going into Settings > Apps, and clear cache and data?
You should check the…
You should check the Cryptographic Signatures of your Apks.
It is possible that the 9.0.6 or 9.0.7 apk is not the official one, it is modified.
If you have downloaded both of the apks from official resources (PlayStore, F-droid, torproject.org) it is not likely they have been modified by the developers-market admins.
In that case you should search for malware or someone did a MiTM attack against you.
Also mention that if you have downloaded Tor Browser from PlayStore and then tried do update it from F-droid, or reverse, it is not possible to do that. Maybe the same applies with torproject.org and playstore. It has to update if you do the same with F-droid and torproject.org
> Tor Browser 9.0.7 is now…
> Tor Browser 9.0.7 is now available from the Tor Browser download page
Download links haven't updated and still pointed to the version 9.0.6.
Thanks, this is now fixed.
Thanks, this is now fixed.
Why do you seriously mention…
Why do you seriously mention you ship NoScript v.11.0.19 here, but the NoScript developer turns around to upgrade it in TBB to v.11.0.22, and suppose no one really checks what that changes, and a ticket to prevent this hijacking possibility exists, and nobody cares?
Did someone review this…
Did someone review this NoScript 11.0.22 - is it OK that it updated?
Yes, automatic updates are…
Yes, automatic updates are expected.
Have you got anything that…
Have you got anything that can deal with a virus. I have real problems with virus these days.
Tor Browser does not deal…
Tor Browser does not deal with virus.
Tor Browser can help you…
Tor Browser can help you deal with virus by staying at home, I suppose.
https://blog.torproject.org/remote-work-personal-safety
Something with javascript
Something with javascript
I take this update to mean…
I take this update to mean NoScript allowed Javascript to be executed despite it being configured to not do so via a Firefox vulnerability? And the fix is to disable Javascript via about:config? If users restore previous behavior, does that mean they are vulnerable?
Noscript includes some…
Noscript includes some workarounds for the Firefox ESR bug that should prevent that from happening, but we don't know for sure if that is enough, so for safety we disabled javascript completely. If users restore the previous behavior, that does not automatically mean they are vulnerable, but we don't know for sure.
An other option is to switch the security level before visiting a website where you want to enable javascript. But you should remember that that it applies to all open tabs, and switch it back to Safest before visiting other websites.
> But you should remember…
> But you should remember that that it applies to all open tabs, and switch it back to Safest before visiting other websites.
If a background tab on Safest has
<meta http-equiv="refresh" content="5">
and I drop my active tab to Safer, does the background tab begin refreshing? Tor Browser's defaults foraccessibility.blockautorefresh
andbrowser.meta_refresh_when_inactive.disabled
arefalse
.In android come controllo…
In android come controllo che lo script sia disabilitato?
Normalmente, guardi l…
Normalmente, guardi l'impostazione del tuo livello di sicurezza.
https://tb-manual.torproject.org/it/security-settings/
Ma il post sul blog spiega che gli sviluppatori hanno implementato precauzioni per impedire a NoScript di gestire gli script in modalità "Sicurissimo" a causa di un bug in NoScript. L'impostazione precauzionale può essere vista da:
about:config
javascript.enabled
Questo è ora falso in modalità "Sicurissimo" fino a quando il bug non viene corretto.Have you fixed the problem…
Have you fixed the problem with NoScript? For a long time it has been suddenly, for no reason. cancelling settings for individual tabs and reverting to "safest"
What steps can we follow to…
What steps can we follow to reproduce this?
This is a NoScript problem,…
This is a NoScript problem, I believe it happens in my non-Tor Firefox browser as well.
My use case is having a Protonmail inbox tab open at all times. Tor security = safest, "Temp TRUSTED" turned on for the Protonmail JS. Every so often (haven't figured out what kind of interval, sometimes seems to be after hours of use sometimes seems to be in under an hour), Protonmail will get a "cannot connect to server" message. The Noscript button will now show the JS permission for the page as "Default" instead of "Temp Trusted".
Hot tip for others with this problem: I can make the JS in the tab work again without reloading (and thus avoid having to log in again) by opening a new tab with Protonmail, enabling JS, and closing it.
PS Thanks for detailing why changing the JS trust permissions using the Noscript button doesn't work this update! I was a little >:( for a minute until I saw it was working as expected.
The links on still point to…
The links on still point to version 9.0.6.
Thanks, this is now fixed.
Thanks, this is now fixed.
A persons information should…
A persons information should beprivate
Then remember to clear your…
Then remember to clear your clipboard when you close the Tor browser as the below was copied form my clipboard (after I closed the Tor brower).. "A persons information should beprivate"
*Its about time that Tor cleared the clipboard after exit as the above could of been a Journalists whole sensitive email, then heads can roll*
> Its about time that Tor…
> Its about time that Tor cleared the clipboard after exit
Long ago, it did in Windows because it inherited something from Firefox.
What if your clipboard is something you did not copy from Tor Browser? I clear the clipboard myself by copying nonsense. This way, I control when it is cleared and verify it is cleared. I paste into a plain text editor like Notepad or into Tor Browser address bar before I close it. Make sure the plain text editor does not automatically save backups, and make sure not to press Enter in address bar.
https://trac.torproject.org/projects/tor/query?status=accepted&status=a…
https://blog.torproject.org/comment/189604#comment-189604
Running this command seems…
Running this command seems to be working fine (i have a shortcut on my desktop (windows)):
C:\Windows\System32\cmd.exe /c echo. | clip
Thanks. Is there one for…
Thanks.
Is there one for Android? As Android seems to save something like the last ten things that you copy.
I suppose my concern is if everything that is copied while using Tor gets copied to a program that is outside of Tor then can it just be accessed and collected each time that something is copied?.
If so then it makes me think that nothing should be copied while using Tor.
We're getting off topic…
We're getting off topic. Search the web.
https://duckduckgo.com/?q=android+clear+clipboard
Long ago, it did in Windows…
Ah!, that's probably why I was shocked to find out that it was doing this when I tested it recently, as I'm sure that I would of tested it in the past.
Lesson learned "take nothing for granted" things can change.
Good advise and thanks for the links.
My concern is that this is not commonly known by users and I really don't think that users would expect things to be copied by default outside of a browser designed for privacy.
Even if known about just forgetting to clear the clipboard once might not be good.
Hopefully Jounelists wouldn't even use Android or Windows : )
*spooky* "sorry there was an error blah, blah, message not posted".
So I had to copy my entire message from the error page then post it out of the clipboard, great! haha o_0
17-Mar-2020 OpenSSL 1.1…
17-Mar-2020
OpenSSL 1.1.1e is now available, including bug and security fixes
Thanks, opened https://trac…
Thanks, opened https://trac.torproject.org/projects/tor/ticket/33723
uncaught exception:…
uncaught exception: 2147746065 SessionStore.jsm:1325:22
[03-24 08:05:02] Torbutton…
[03-24 08:05:02] Torbutton WARN: Your Tor Browser is out of date.
I well help for
I well help for
Page https://www.torproject…
Page https://www.torproject.org/download/languages/
still refers to 9.0.6 versions at least for 32-bit builds I need.
then why on the download…
then why on the download page, its always the 9.0.6 version ?
please fix it, thanks
I couldn't install Tor…
I couldn't install Tor Browser from website.
What is the issue?
What is the issue?
This update breaks Tor, at…
This update breaks Tor, at least in win64, with the following startup error:
We have a ticket for this…
We have a ticket for this issue:
https://trac.torproject.org/projects/tor/ticket/33702
I understand the precaution…
I understand the precaution with disabling JavaScript entirely. I just want to ask whether uMatrix is affected by this Firefox ESR vuln as well? If not, wouldn't it be preferable to simply replace NoScript with uMatrix instead of disabling JavaScript entirely?
I don't think uMatrix would…
I don't think uMatrix would solve that issue, but I am not sure.
However we have already been looking at uMatrix:
https://trac.torproject.org/projects/tor/ticket/30570#comment:16
Interestingly, this ticket…
Interestingly, this ticket mentions that uMatrix is undesirable because it doesn't block WebGL as NoScript does. Well, by default NoScript also allows WebGL as soon as you allow scripts from a certain site (Trusted zone in NoScript).
IMHO, the NoScript config that ships in TorBrowser must not enable WegGL by default for all NoScript Trusted sites. Make that setting controlled by Security Level, etc.
When will Snowflake get…
When will Snowflake get available in the stable Tor browser?
then why on your download…
then why on your download page is still the 9.0.6 version ?
hope you will fix this asap, thanks
Javascript is not work, I'm…
Javascript is not work, I'm in the safest mode
Yes, Javascript is supposed…
Yes, Javascript is supposed to not work in Safest mode.
https://tb-manual.torproject.org/security-settings/
Thanks for the javascript…
Thanks for the javascript workaround, allowing us to tweak java script permissions on a per-site basis whilst staying on the safest mode. It was driving me nuts!
That was never a good idea…
That was never a good idea in the first place. Changing any per-site settings, or any settings besides the security level, gives your browser a unique fingerprint.
But the "security level"…
But the "security level" easement allows ALL spying and 3-rd party scripts as well. Isn't it a bigger problem?
Do you want to be slightly fingerprinted or completely profiled? Your choice.
For comparison, Tails adds to TorBrowser an add-on to disable the known bad scripts - uBlock Origin. And since it's included for all users, the fingerprinting is not an issue.
> Isn't it a bigger problem?…
> Isn't it a bigger problem? Do you want to be slightly fingerprinted or completely profiled?
Yes, it is a bigger problem for a community using Tor Browser because a unique fingerprint makes you stand out immediately from other Tor Browser users, but allowing scripts makes you stand out slower from the community unless you volunteer personal information to the site. Scripts and site content are restricted as well by cross-origin settings, first-party isolation, and so on. Tor Browser also resets to default configuration whenever you open it or click New Identity. The important word there is "identity".
https://support.torproject.org/tbb/tbb-34/
https://2019.www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled
https://2019.www.torproject.org/projects/torbrowser/design/
> uBlock Origin. And since it's included for all users, the fingerprinting is not an issue.
uBlock depends on lists of filters managed by third parties beyond the developers of uBlock. Some blacklist filters break specific sites, so third parties started managing whitelist filters to patch the sites broken by blocking filters. Additionally, while ad servers can be malicious and measures are taken by Tor Browser to reduce fingerprinting, an outright ad blocker would give site owners yet another reason to want to block all Tor users.
https://support.torproject.org/faq/faq-3/
You have written news on a…
You have written news on a blog, but distributions Tor Browser are not available for download.
The download links on the…
The download links on the website have been fixed.
They haven't been fixed on…
They haven't been fixed on GitHub:
https://github.com/TheTorProject/gettorbrowser/releases
And the link to GitLab here (https://github.com/TheTorProject/gettorbrowser) is a broken link.
But Half Life Alyx has just…
But Half Life Alyx has just come out, so... does Tor work with VR?
Tor has higher latency by…
Tor has higher latency by design to defend against traffic analysis. Tor is not designed for real-time multi-player games or high-resolution livestreaming. If you can proxy it, Tor can work with it up to a point. It may not work if it wants your location for DRM or geofencing, reacts sensitively for anti-cheating, or otherwise decides to block Tor. Multi-player real-time games may nonetheless suffer from response times higher than sufficient to play comfortably. In contrast, turn-based games are less sensitive to latency. Single-player games whose assets are loaded completely from your machine should not be affected by network latency while playing.
no script is broken here in…
no script is broken here in linux - cant switch on for single sides - so those sides wont function anymore - either i go back to former version or i remove no script at all.
What do u recommend?
Have you tried shield icon -…
Have you tried shield icon -> Advanced security settings -> Standard security level?
https://tb-manual.torproject.org/security-settings/
Have you set javascript…
Have you set javascript.enabled to true as described in the blog post?
A long time ago the Tor team…
A long time ago the Tor team pulled out two very useful options to turn on and off images and javascript. They replaced this with the Security Level system.
In my mind, it was deceitful to claim "JavaScript is disabled by default on all sites" with the "safest" setting when in fact javascript was not disabled in-browser, but only through a third-party plugin. This third-party plugin turned out to be faulty, making the "safest" setting UNSAFE.
This is completely unacceptable behavior and messaging from a security product.
Now we are all reaping the rewards of the Tor team's bad decision to hide the options to turn off images and javascript. Now, instead of having an option ready at hand, as we used to, the general user either has to hack into the about:config or wait for a browser update.
Why was the javascript button removed? It was because the Tor team subscribed to a STUPID IDEOLOGY OF USABILITY that focused on the supposed needs of the LOWEST IQ user. And yet it is precisely these people who were let down the most by this critical bug. The Tor team decided that this group of users were too stupid, too confused to be offered a simple global browser-level javascript on-off option.
Who is looking stupid now? The Tor team.
In addition to the Security Level system already in place, which works for most users most of the time, the Tor team MUST implement a more sophisticated security panel that offers choices, minimally the ability to turn on and off images, HTML5 multimedia, and javascript. If you want to hide it behind a warning, fine. But it needs to be there. We have just witnessed what happens when you take basic options away from users.
I don't know which…
I don't know which javascript button you are talking about.
Before the security slider was added, the disabling of javascript was done with noscript.
It was Mozilla who did that…
It was Mozilla who did that. Tor Browser is built upon Firefox and whatever is the latest incarnation of it.
There is so much garbage spy behavior built into default Firefox now, that it takes awhile to clear it all out (telemetry, studies, reporting, broadcast location, social, etc). Tor continues to remove all of that nonsense as it should. If you've ever taken to time to read the default Firefox privacy policy lately, it reads like an Orwellian nightmare. Still, its the best platform available to build Tor on right now due to the license, etc.
The NoScript plugin was popularized as an answer to counter Mozilla's unwillingness to allow users to disable their js manually, I recall this happened a long while ago.
The dumbing down of options is to bring aboard more average users, which is good for overall anonymity.
https://2019.www.torproject…
https://2019.www.torproject.org/docs/faq.html.en#DisableJS
"Alas, Mozilla decided to get rid of the config checkbox for JavaScript from earlier Firefox versions."
Dear, boklm. Does parameter…
Dear, boklm.
Does parameter ExcludeNodes {cc} gives my browser a unique fingerprint?
This can makes the behavior…
This can make the behavior of your tor client recognizable, so could be used as a fingerprinting vector.
More of a fingerprint than…
More of a fingerprint than if Javascript is running accidentally?
Any chance to add an option…
Any chance to add an option to blacklist some countries for the circuit?
I would like to blacklist the USA and UK because of their mass surveillance policies which makes me not trust them even a bit when it comes to privacy and security.
Thanks!
We are not planning add an…
We are not planning add an option for this as this is not a good idea:
https://support.torproject.org/tbb/tbb-16/
Caveat: it can decrease your…
Caveat: it can decrease your anonymity, make you more vulnerable to malicious servers and increase your fingerprint. However, it is very useful for testing and for specific instances, for instance when you want to access georestricted resources whilst staying on the tor network:
1. To apply these changes to the tor browser, edit the file: tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc
(NB: to apply the settings to the tor binary in your system, you need to edit: /etc/tor/torrc)
2. To specify the entry node, add to the end of the file the following line:
EntryNode {**}
(where {**} is the country code; you can also add a server's fingerprint)
3. To specify an exit node, add:
ExitNode {**}
-To exclude a country as an exit node:
ExcludeExitNodes {us}
-To exclude a country as any kind of node:
ExcludeNodes {us}
Once again, you probably don't want to mess with these settings for your everyday browsing, just for testing or ad hoc scenarios.
torrc-file : DataDirectory …
torrc-file :
DataDirectory ...
EntryNodes yourchoice1,yourchoice2
ExcludeNodes badnode1,{us},{cn},{??}
ExcludeExitNodes badnode2,{??}
GeoIPFile ...
GeoIPv6File ...
ExcludeNodes {US},{UK}
ExcludeNodes {US},{UK}
The tor client tries to…
The tor client tries to treat every exit node with equal distrust. I don't see your point. Furthermore, after your traffic exits Tor and is handed to the plain old internet's routing system to pass it along to wherever the destination server is located, there still are...
https://en.wikipedia.org/wiki/Five_Eyes
https://en.wikipedia.org/wiki/Submarine_communications_cable#Intelligen…
https://www.submarinecablemap.com/
https://en.wikipedia.org/wiki/GCHQ_Bude#Cable_interception
https://en.wikipedia.org/wiki/Hawaii_Cryptologic_Center
https://en.wikipedia.org/wiki/Content_delivery_network#Technology
https://en.wikipedia.org/wiki/Content_delivery_network_interconnection#…
Caveat: it can decrease your…
Caveat: it can decrease your anonymity, make you more vulnerable to malicious servers and increase your fingerprint. However, it is very useful for testing and for specific instances, for instance when you want to access georestricted resources whilst staying on the tor network:
1. To apply these changes to the tor browser, edit the file: tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc
(NB: to apply the settings to the tor binary in your system, you need to edit: /etc/tor/torrc)
2. To specify the entry node, add to the end of the file the following line:
EntryNode {**}
(where {**} is the country code; you can also add a server's fingerprint)
3. To specify an exit node, add:
ExitNode {**}
-To exclude a country as an exit node:
ExcludeExitNodes {us}
-To exclude a country as any kind of node:
ExcludeNodes {us}
Once again, you probably don't want to mess with these settings for your everyday browsing, just for testing or ad hoc scenarios.
https://2019.www.torproject…
https://2019.www.torproject.org/docs/faq.html.en#ChooseEntryExit
https://2019.www.torproject.org/docs/faq.html.en#ChoosePathCountries
Tor Browser 9.0.7 for…
Tor Browser 9.0.7 for Android doesn't work on a Samsung Galaxy S2 (i9100) with Android 4.1.2
+1
+1
Hi, I have HTTPS everywhere…
Hi,
I have HTTPS everywhere updating itself. Is it safe to let it do so, as so far I have only trusted updates from TOR and no one else.
Dear Tor admins, you get…
Dear Tor admins, you get many questions about NoScript and HTTPS Everywhere updating by themselves. Please add their questions to the support FAQ.
I’m brand new to tor. Non…
I’m brand new to tor. Non tech savvy, basically tech illiterate, just want my privacy from big brother and ad folks. I’d also like to know how to text in privacy but I’ll get to that. I use an iPhone and a surface pro 7. Any suggestions on setting up would be appreciated
Did you have a question? …
Did you have a question?
About Tor, the first set of bullets here answers it well:
https://blog.torproject.org/comment/286754#comment-286754
SMS texting is associated to your account and phone number with your mobile carrier. SMS traffic is managed by your mobile carrier, is not private, and cannot be proxied to work with Tor or VPN which go through internet. Look into messengers that are encrypted end-to-end, that try to reduce metadata leaks, and can be used on wifi. Look into Signal, Tox, Wire, FireChat, as well as CoyIM, Mastodon, and Pleroma. Develop a threat model. Decide who to trust, and learn to torify applications.
Your Surface Pro should support most desktop programs, but Microsoft has a long history of invading privacy, particularly in partnership with governments. Apple hardware, iOS, and its App Store are black boxes obscured from security auditors and developers by proprietary licenses and non-disclosure agreements. All companies right now push for vendor lock-in and dependence in their spheres of influence. Tor Browser is available on phones with Android only, but Android has had more malware historically than iOS.
Hallo, was downloading from…
Hallo,
was downloading from dist.torproject.org with TBB9.0.6 and the browser has
FIXED the encryption at (TLS_AES_128_GCM_SHA256, 128 bit keys, TLS1.3).
Setting in security.ssl3.* doesn't matter.
What's the reason for?
Downgrading http-everywhere…
Why not in changelog?
The 9.0.7 does not include…
The 9.0.7 does not include any change for this, so it was not included in the ChangeLog. The new Tor Browser version includes the newer version of https-everywhere and that was absent from the ChangeLog. It is now included. A comment about the bug in https-everywhere's EASE mode is now included in the blog post, as well.
Are there any plans for an…
Are there any plans for an Arm version? I would love to run Tor Browser on a Pinebook.
We have this ticket open…
We have this ticket open:
https://trac.torproject.org/projects/tor/ticket/12631
As of this date NoScript is…
As of this date NoScript is still periodically crashing or switching off my temporary resettings
Reinstall.
Reinstall.
Thanks for the update just…
Thanks for the update just to let you know the embedded PDF reader pdf.js does not work anymore in safest mode because of the JS engine being disabled.
It would be useful to at least serve a fallback message "download PDF" (the pdf.js button for downloading does not work with JS disabled)
Thanks for the report, I…
Thanks for the report, I opened a ticket for this:
https://trac.torproject.org/projects/tor/ticket/33721
Исчезла кнопка блокировки…
Исчезла кнопка блокировки HTML5-отпечатка (надеюсь я правильно выразился и вы меня поняли). Теперь нельзя заблокировать иньекцию отпечатка HTML5 от всех сайтов, которые это пытаются делать.
I'm sorry, I do not…
I'm sorry, I do not understand. Are you referring to the "canvas" permission?
----
Простите, я не понимаю. Вы имеете в виду разрешение «холст»?
NoScript 11.0.23 - Released…
NoScript 11.0.23 - Released Mar-25-2020 : https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search
There is a HUGE problem with…
There is a HUGE problem with Tor on Android.
If somebody has changed cookies or DNT settings and after shut down the browser, the next time opening the browser, even settings apear to be fine, the fact is that the have been changed as they were before before they got changed!
However if you change them after the browser starts there is no problem.
The same goes each time you shut down and start Tor.
I apologize for my terrible English...
Changing cookes or DNT…
Changing cookies or DNT settings will change your fingerprint, so it should be avoided.
Even if accidenticaly…
Even if accidenticaly someone change these settings and then set their values to the default ones, the values are gonna be those he had seted at first, the dangerous ones as you have said.
Where can I find SHA-1 and…
Where can I find SHA-1 and SHA-256 signatures for Android?
https://dist.torproject.org…
https://dist.torproject.org/torbrowser/9.0.7/sha256sums-signed-build.txt
https://dist.torproject.org/torbrowser/9.0.7/sha256sums-signed-build.tx…
If I have first installed…
If I have first installed tor browser in a previous version should the signature after 9.0.7 update be the 9.0.7 apk signature or the signature of the version I have first downloaded?
Why do every version has a different signature?
I am talking about SHA-256 signature.
Have you got the Signatures?…
Have you got the Signatures?
You have uploaded a link with SHA-256 Checksums.
I only can verify SHA-256 Signatures.
In my apk SHA-256 signature appears to be 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8
Signature Type: SHA256withRSA
Key Type: RSA 4096bit
App used: Checkey (Guardian Project)
noscript, https-everywhere…
noscript, https-everywhere where not updated maybe because they are set to off for automatic updates, though thought this was recommended. About time you ditched them and integrated the functions.
Currently, updates of https…
Currently, updates of https-everywhere and noscript are still enabled by default.
https://bugs.torproject.org/10394
That is not good. Extensions…
That is not good. Extensions are known vectors, my research shows these in particular have had issues. Look at all the dates on these bugs with no fixes. This is not good either. Most extension vulnerabilities can be prevented by disabling any connection function or blocking their connections entirely. For example https-everywhere even has its own internal self-update function, though this fortunately appears to be disabled in preferences, though not disabled/removed entirely, as it really should be.
No, disabling extension…
No, disabling extension updates does not prevent vulnerabilities. The vulnerabilities in the extensions are the same whether or not we enabled extension updates. The only thing that is changing is how users are getting the fixes. In the past, extension updates have been used to fix vulnerabilities (mainly to noscript). This is the reason why we kept extension updates enabled. Making a new Tor Browser release involves a lot of work, so having the option to fix an issue with a noscript updates saves us a lot of time. However it is also better if users don't have to trust updates from multiple sources, which is why we are considering disabling updates for the the extensions we ship.
Contradiction? You ignored…
Contradiction? You ignored what I said, or I was not clear enough. So you verify every automatic update? Seems like it would be less work and safer to integrate the functions. Disabling and removing extensions does prevent vulnerabilities, by your own advice of not installing them. My main point here is having internal extension connection functions that can update themselves internally even though they are disabled by default is poor practice. There is even a big warning message in https-everywhere. What more do you need? I appreciate it takes a lot of effort, though recently you had a big bug raising fund. Thought you stated it was great and would be used to fix bugs. If there is a lack of developers and support then that is a great shame. Lives depend on Tor as you no doubt know. I am grateful for your efforts regardless.
tor browser crashes upon…
tor browser crashes upon start tried deleting and re installing not working still
Do you have an error message…
Do you have an error message? Which operating system are you using? Was it working before?
Nessun messaggio di errore,…
Nessun messaggio di errore, sto usando android su tablet
Often pages are endlessly…
Often pages are endlessly loading, so clicking New Tor Circuit, but this fails due to the page still trying to load and just gives a blank page, resulting in having to wait a long time for it to fail before you can choose a new circuit.
> Often pages are endlessly…
> Often pages are endlessly loading
Do you mean on this blog, or do you mean other websites?
https://trac.torproject.org/projects/tor/ticket/22530
All and any websites, it's a…
All and any websites, it's a general problem.. Endless loading.. try to get a new circuit.. blank page.. have to wait for failed loading until able to choose a new circuit to avoid getting just a blank page.
You mean they timeout and…
You mean they timeout and stop, not that they refresh on their own like this blog. Do any sites load successfully?
You can stop loading by pressing the Escape key or by opening the right-click menu on the page and clicking the X or by dragging the Reload button to your toolbar (Customize) that will turn into an X as pages are loading.
The sites could be blocking Tor. Even if a site is not blocking Tor, some sites need JavaScript or features that are less private, and some sites load faster if those features are disabled. You can try one of the other security levels in the shield icon, and then load the site. Sites ending in .onion are slower in general, and smaller onion sites are down more often. It could be that the sites you are trying do not exist anymore.
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_erro…
Yes they timeout and stop,…
Yes they timeout and stop, failing to load.. It can happen on any page.. Yes they load successfully but only after they can timeout and a new circuit can be chosen.. If a new circuit is chosen before the timeout then it results in a blank page.
Why tor browser uses win10…
Why tor browser uses win10 32bit user agent?
64bit machines are more popular today.
_all_ firefox/tor browser…
_all_ firefox/tor browser builds use Win32 for navigator.platform for legacy reasons - everyone is the same
- FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=1472618
Yes, but UA header and…
Yes, but UA header and navigator.userAgent still return real platform.
Tor Browser:
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Firefox on Windows 10 x64:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
And this is a real bug!
And this is a real bug!
Disqus functionality still…
Disqus functionality still completely broken. Any sites using disqus are unusable regardless of settings.
Disqus functionality is…
Disqus functionality is still completely borked, rendering any site using Disqus (which is a lot) useless. Setting security and java-script to minimum and allowing everything and still no workie. Something is fundamentally broken as far as Disqus...
wow why legitimate comments…
wow why legitimate comments not show up seem even you are doing censorship...
This is our blog comment…
This is our blog comment policy:
https://trac.torproject.org/projects/tor/wiki/doc/community/blog-commen…
Ok sorry but I waited for…
Ok sorry but I waited for days, sorry for the spam, thought it wasn't working. You should show a clear message and include this link.
why does your website use…
why does your website use javascript?
I keep getting hundreds of…
I keep getting hundreds of these popups from Tor Browser, from a legit website
"NoScript XSS Warning"
the only thing that helps is to minimize it
Here is a screenshot
https://paste.pics/bc49f1ea024a6818355d747995aedc33
+1
+1
Click "Always block" then …
Click "Always block" then "OK". Or open NoScript menu and set nypost.com to turn off scripts in its Custom permission. NoScript is reset when you change security level. To disable all scripts on all websites, set safest level.
I went to the DuckDuckGo…
I went to the DuckDuckGo onion website. I was on the safest level. It popped up a cross site scripting popup and then I blocked all XSS from that site. Now when I try to go to the Duck Duck Go onion URL the browser does not load it. However when I go to search the Clearnet Duck DuckGo url I can find pages that link to the DUCKDuckGo Onion url and when I follow the links it goes there and works. But no matter how many times I try to load the url from my bookmarks it does not work.
Step by step, verify your…
Step by step, verify your bookmark. Then, from where was the XSS being loaded? Was it duckduckgo.com or duck.co, or was it someplace else? If it's still suspicious, scan your computer for viruses and/or reinstall Tor Browser. Contact DuckDuckGo support.
Still no android version on…
Still no android version on the play store?
It is not a good idea to…
It is not a good idea to download/update Tor from playstore.
Google may even try to modify the app and add NSA backdoors. It is well know that they are cooperating for many years with NSA and other intelligence agencies.
Just use this website or fdroid..
And if you want to be sure check the pgp and sha signatures of the apk you have downloaded to be sure it is not modified...
There are tab crash…
There are tab crash vulnerabilities that will cause all extensions to be disabled.
Do you have more details?
Do you have more details?
Seems to be with javascript …
Seems to be with javascript / memory buffer overflow. Extensions become functionally disabled, it would appear their internal javascript stops functioning.
What makes you think that?
What makes you think that?
.... Because it happens??
.... Because it happens??
What happens? Claiming…
What happens?
Claiming there are vulnerabilities without providing any technical detail is not very useful.
Did you not see my reply…
Did you not see my reply saying it causes extensions to become functionally disabled? Their menus still open but they are mostly blank, all their internal javascript for websites appears to stop working. It appears the javascript engine crashes or something.. So I would recommend embedding the functions in the browser so this would not happen. I'm not going to try to tell you how to crash tabs, thought this was your area of expertise. Think I already said enough that shows the problem. Surely you know how to perform javascript / memory buffer overloads. If you ask short questions, expect short answers. It's as if you don't use the browser yourself or something!
Just to add here, part of…
Just to add here, part of this or similar vulnerabilities, appears to be the ability for sub-processes (tabs) to crash whilst the root-process (browser) is still running.
The lack of professionalism…
The lack of professionalism here is at best embarrassing and at worst scary. At a time of global emergency it is saddening that this supposed security project is greatly lacking. You speak of the importance of security and yet you don't even bother to fix your own website or clear vulnerabilities. Perhaps this project should come with a health warning of its own!
Not to sound ungrateful,…
Not to sound ungrateful, many of the browser problems should really be fixed by Mozilla.
Do you have a bug report?…
Do you have a bug report? Did you search the bug tracker to see if your concerns have been reported already? Are you participating in the mailing lists?
Yes I have posted them here…
Yes I have posted them here but not being taken seriously. The bug tracker appears to have many similar bugs that aren't being fixed in many years! I am beginning to lose trust here.
You aren't being specific.
You aren't being specific.
I kindly suggest you read…
I kindly suggest you read this entire thread and visit the links contained here-in.
Having issues with…
Having issues with connection stability. What is the best way to connect to Tor (cable provider, personal WiFi via hotspot on a smart phone, or others)? Bisq loads with Tor, any suggestions for establishing a stable connection in within Linux Ubuntu? Thank you.
tor will attempt to…
tor will attempt to reconnect if the connection is broken. Connection stability is usually independent of tor and thus affects connections not through tor as well. If a Tor circuit is unused, it will expire after a maximum of 10 minutes, and a new circuit will be created. I don't know if an active connection held open by an application would be forced to close if its circuit is older than 10 minutes. I don't think it should.
Tor Exit Failures Average…
Tor Exit Failures
Average probability-weighted failure rate: 74.7%
Test ran at 2020-03-27 20:16:00 UTC
What's going on?
Hello, the Tor Browser…
Hello, the Tor Browser telling me now that the Tor is broken. I can see red page with "Something went wrong" message. I use Windows 7 32-bit. I updated yesterday on 9.0.7 version. I saw this red page before update but after the update it disappeared. But now, the day after my update, i see it again and there is no description of the problem.
How to resolve this, please? How to fix the Tor and make the Tor Browser functional again?
Does it say, "Tor is not…
Does it say, "Tor is not working in this browser"? That would be a description of the problem. The tor daemon (or "expert bundle") is a network proxy daemon that is packaged in the Tor Browser Bundle. The error basically means the tor daemon is not running. It is supposed to start when you open the browser, before the window appears. However, as it is a separate program, it can crash, and it won't crash the browser program. If the browser cannot access the tor daemon, the browser displays an error.
Does https://check.torproject.org/ return "Congratulations"? If not, exit all windows of the browser, wait 10 seconds, and reopen the browser.
Read the daemon's connection log to see if there are any error messages:
https://support.torproject.org/tbb/tbb-21/
Don't paste the log online if you configured bridges.
Hello! I hope you are using…
Hello! I hope you are using Firewall? Make sure the only tor.exe is allowed to communicate via network.
Concerning your issue - it is old "bug" on Windows. - You have just to restart your browser.
I use tor safest mode…
I use tor safest mode because it prevented javascript except on sites I explicitly set to trusted. This no longer works due to the complete disabling of javascript. Will it return to the previous functionality at some point?
Quoting the blog post, "We…
Quoting the blog post, "We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability."
Is there anyway to get…
Is there anyway to get TorBrowser installed on Raspbian?
Sort of. Raspbian is…
Sort of. Raspbian is essentially just Debian Linux underneath. The problem is that Raspberry Pis use ARM processors, so there has to be a reproducible build of the modified Firefox for them.
https://trac.torproject.org/projects/tor/ticket/12631
https://trac.torproject.org/projects/tor/ticket/24454
After I upgraded my android…
After I upgraded my android to 10, both Orbot and Tor Browser stopped working. The upgrade to new android was pushed by Samsung and the phone is not rooted.
Orbot keeps saying application request when we haven't used client functionality lately.
Tor browser however gives the following error:
Warning: pluggable transport process terminated with status code 6.
Any ideas?
Tor browser su android non…
Tor browser su android non apre nessuna pagina e si blocca subito dopo averlo avviato come posso risolvere?
Lately I cant connect using…
Lately I cant connect using obfs anymore, anyone know why?
Check if your bridges are…
Check if your bridges are down. Paste a bridge fingerprint in Relay Search (and ONLY in Relay Search):
https://metrics.torproject.org/rs.html
https://2019.www.torproject.org/docs/bridges.html.en#Understanding
Offline, fingerprints are saved in your torrc file. Don't edit it.
https://support.torproject.org/tbb/tbb-editing-torrc/
If your bridges are down, disable them and connect through Guard relays. Or if you absolutely need bridges, you can request another set:
https://support.torproject.org/censorship/censorship-4/
If they're up but you can't connect, then the issue may be temporary, or there may be a problem on your specific network.
According to an app I am…
According to an app I am using (checkey, guardian project), the SHA-256 signature of Tor Browser for Android is 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8
However the SHA-256 signature you have uploaded is different.
Is the apk fake?
I downloaded the apk from torproject.org on 2 devices and the signature is the same.
If someone knows the answer I would be glad for helping me.
I think…
I think 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8 is the fingerprint of the certificate signing the apk, not the hash of the file.
Under the section USING…
Under the section USING PLUGGABLE TRANSPORTS
I still guess you should open the menu at the top right, for rather Customize instead.
Perhaps still a bit more left to do, before any finished product here, because here also something missing when only installing the Tor browser.
This person is talking about…
This person is talking about instructions in the Tor Browser Manual here:
https://tb-manual.torproject.org/circumvention/
It does say to open the menu at the top right. The second paragraph says, "click on 'Preferences' in the hamburger menu." The "hamburger" menu is the browser's main menu whose icon is a stack of 3 horizontal lines. "Customize" is an unrelated tab where you can edit your toolbar. There is nothing in "Customize" that will help.
You can change the language of the purple website at the top of the page.
In the next stable version,…
In the next stable version, will the problem with obsf4 bridges on android get fixed?
I have a question or two. I…
I have a question or two. I use TOR and Firefox. I noticed that somehow they are connected. What is the connection for TOR and Firefox. Is there going to be a takeover of one or the other sometime in the future. Also I noticed when I bring up TOR it does not go full screen. Is it ok to blow it up full screen or will that pose some sort of security risk. Thank you so much.
Tor Browser is based on…
Tor Browser is based on Firefox, with additional patches and customization. We are collaborating with Mozilla to integrate our changes into Firefox as much as possible (sometimes behind a pref). But the two organizations are independent.
You can maximize the browser window. The window size is a fingerprinting vector, but the letterboxing feature mitigates that:
https://support.torproject.org/tbb/maximized-torbrowser-window/
I used to love this browser…
I used to love this browser but it is still not working for me. I have the old windows 7.... could this be the issue?
What happens when you try to…
What happens when you try to start Tor Browser?
Yes, your Win7 should be up…
Yes, your Win7 should be up-to-date.
New geoip data files would…
New geoip data files would be necessary and very nice.
I think there maybe some…
I think there maybe some cognitive dissonance here, in that.. (it's too much work, not enough resources). But security is too important to skip steps. I see you got another donation.
https://mastodon.social/@torproject/103923777846857760
Hope it can be put to good use.
Is a version of iOS online?
Is a version of iOS online?
https://support.torproject…
https://support.torproject.org/tormobile/tormobile-3/
There were two critical zero…
There were two critical zero day vulnerabilities discovered in Firefox yesterday. These zero day vulnerabilities have apparently been observed in the wild. They both involve use-after-free vulnerabilities. They have been patched in Firefox and Firefox ESR. Here's a link to the advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Presumably, these vulnerabilities affect Tor as well as it is based on Firefox. As it is now a day old and no updates or comment from Tor. These are both CRITICAL vulnerabilities. When can we expect them to be patched in Tor as well as TAILS?
We are working on a new…
We are working on a new release fixing this.