New Release: Tor Browser 9.0a6
Update 6/9 0600UTC: Added another known issue.
Tor Browser 9.0a6 is now available from the Tor Browser Alpha download page and also from our distribution directory.
Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
This release features important security updates to Firefox.
This is the first alpha release based on Firefox ESR68, and therefore contains several important changes such as the rebasing of our Firefox patches, toolchain updates, integration of Torbutton directly into the browser and updates to Tor Launcher to make it compatible with ESR68.
If you find any issue with this release, please help us by reporting them so we can fix as much as we can before the first stable release based on ESR68, which is planned for October 22.
Known issues:
- Tor Browser 9.0a6 is not reproducible on some platforms right now: We have issues on 32bit Linux, Windows, and Android. Those are planned to be fixed in the next alpha release, though, to give the usual guarantees reproducible builds aim to provide.
- New Identity and the bridge configuration in the browser are not easily accessible anymore as we removed the onion button. We are currently working on a replacement for both: New Identity will be exposed directly in the toolbar and the bridge configuration gets integrated in the Firefox settings. For New Identity please use the shortcut (Ctrl+Shift+U) for now or the item in the hamburger menu.
- We already have a number of known tickets we need to work on in the coming weeks. The most important ones are tagged with the tbb-9.0-must-alpha keyword. Moreover, we have accumulated Firefox 68 ESR related issues over the time that can easily be queried with our ff68-esr keyword.
The full changelog since Tor Browser 9.0a5 is:
- All platforms
- Update Firefox to 68.1.0esr
- Update NoScript to 11.0.3
- Bug 30429: Rebase patches for Firefox 68 ESR
- Bug 10760: Integrate Torbutton into Tor Browser directly
- Bug 25856: Remove XUL overlays from Torbutton
- Bug 31322: Fix about:tor assertion failure debug builds
- Bug 31520: Remove monthly giving banner from Tor Browser
- Bug 29430: Add support for meek_lite bridges to bridgeParser
- Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
- Bug 30683: Prevent detection of locale via some *.properties
- Bug 31298: Backport patch for #24056
- Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
- Bug 27601: Browser notifications are not working anymore
- Bug 30845: Make sure internal extensions are enabled
- Bug 28896: Enable extensions in private browsing by default
- Bug 31563: Reload search extensions if extensions.enabledScopes has changed
- Bug 31396: Fix communication with NoScript for security settings
- Bug 31142: Fix crash of tab and messing with about:newtab
- Bug 29049: Backport JS Poison Patch
- Bug 25214: Canvas data extraction on locale pdf file should be allowed
- Bug 30657: Locale is leaked via title of link tag on non-html page
- Bug 31015: Disabling SVG hides UI icons in extensions
- Bug 31357: Retire Tom's default obfs4 bridge
- Windows + OS X + Linux
- Update Tor to 0.4.1.5
- Update Tor Launcher to 0.2.19.3
- Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
- Bug 31251: Security Level button UI polish
- Bug 31344: Register SecurityLevelPreference's 'unload' callback
- Bug 12774: Selecting meek in the browser UI is broken
- Build System:
- Bug 31465: Bump Go to 1.12.9
- Windows
- OS X
- Linux
- Bug 31403: Bump snowflake commit to cd650fa009
- Android
- Build System:
- All Platforms:
- Bug 30585: Provide standalone clang 8 project across all platforms
- Bug 30376: Use Rust 1.34 for Tor Browser 9
- Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
- Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
- Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
- Windows
- OS X
- Linux
- Android
- Bug 30324: Android toolchain update for Fennec 68
- Bug 31173: Update android-toolchain project to match Firefox
- Bug 31389: Update Android Firefox to build with Clang
- Bug 31388: Update Rust project for Android
- Bug 30665: Get Firefox 68 ESR working with latest android toolchain
- Bug 30460: Update TOPL project to use Firefox 68 toolchain
- Bug 30461: Update tor-android-service project to use Firefox 68 toolchain
- Bug 28753: Use Gradle with --offline when building the browser part
- Bug 30324: Android toolchain update for Fennec 68
- All Platforms:
Comments
Please note that the comment area below has been archived.
I feel like something is…
I feel like something is wrong with this release.
not only did features like the "new identity" button disappear. and the browser feels more like a vanilla firefox than torbrowser (with stuff like pocket enabled, and settings changed).
but firefox.exe is also suddenly creating a firewall alert, trying to connect to a few IPs at port 80.
Which Windows version are…
Which Windows version are you on? And, yes, this is one of the rare alpha releases which are really an alpha release: A New Identity button will appear (see: https://trac.torproject.org/projects/tor/ticket/27511), hopefully in the next alpha, while the onion button will be gone for good. Pocket still needs to get disabled, yes.
What settings did get changed?
> while the onion button…
> while the onion button will be gone for good
You are not removing the security slider, are you? How will we access that?
The same way it is already…
The same way it is already accessed since Tor Browser 8.5: there is the icon prominently on the toolbar now. So, no, there are no plans to remove the slider/security settings.
Can you tell phony…
Can you tell phony Cloudflare to add the Firefox 68 UA to the whitelisted ones? We don't want to have to deal with captchas all the time again... Thanks!
Done.
Done.
New Tor browser crashs on…
New Tor browser crashs on samsung s9.
Thanks for this bad version.
Orbot/Orfox was perfect.
Any solution?
For now you could use the…
For now you could use the alpha version: https://dist.torproject.org/torbrowser/9.0a6/ while we are working on fixing the problem in https://trac.torproject.org/projects/tor/ticket/31616.
Thank you for linking to…
Thank you for linking to those bug reports in the blog post! I found issues #30662 and #31601 useful for understanding the (temporary) visual changes in the browser.
Just installed /updated my…
Just installed /updated my Tor Browswer to 9.0.a6
And now all of the comments im Bookmarks are gone! Why is that ?!?
There were essential comments/infos on the related pages!
How can i get back these informations?
You mean your bookmarks are…
You mean your bookmarks are gone? Or something else? How did you create those comments?
Which operating system are you on?
Thanks for the reply. No, no…
Thanks for the reply.
No, no not the bookmarks themelves - but the description fields are empty
Right-click on a bookmark -> Properties -> and then you get several fields (Name, Location, Tags, Keyword, Description) for each bookmark. Most essential one, of course, is "location"
For example: in my Tor-Blog Bookmark you can find the Description "Best Anonymous Browser in the world!".
And it's gone!
Other comments/description are way more important - and they are also gone.
I switched back to Tor-Browser 8.5.5 - and eyerthing is fine. All the fields filled with the information I hacked in over the last years.
OS is Linux (Fedora 5.2.11-200.fc30.x86_64 ) .
Okay, I opened https://trac…
Okay, I opened https://trac.torproject.org/projects/tor/ticket/31731 for further investigation.
The field "Description" was…
The field "Description" was replaced by "Keyword" in the properties of each bookmark. Guess that's the problem.
If you ment descriptions…
If you ment descriptions then see this
https://www.mozilla.org/en-US/firefox/62.0/releasenotes/
still broken in sandboxie
still broken in sandboxie
> Bug 31465: Bump Go to 1.12…
> Bug 31465: Bump Go to 1.12.9
Wrong ticket number.
No. The bump got done in…
No. The bump got done in that ticket as it was necessary for the notarization part.
-O1 on clang is unacceptably…
-O1 on clang is unacceptably slow.
Do you mean for Windows?…
Do you mean for Windows? Should be fixed in the next ESR version: https://hg.mozilla.org/releases/mozilla-esr68/rev/1e5260c1256c65239aa8e…
-O3 for JS?
-O3 for JS?
hello, something's…
hello,
something's definitely wrong.
Operating system Mac OSX (version 10.14.6)!
After update nothing works anymore, Tor freezes, the settings can't be called - in short I can't use it. Had to restore version 9.0a4 (based on Mozilla Firefox 60.8.0esr) (64-bit) from backup.
Do other users also have such problems?
You are the first one…
You are the first one reporting that. Does the problem still occur with a clean installation, e.g. to a different location like your Desktop (just drag the app there after double-clicking on the .dmg)?
Yes. Despite a clean…
Yes. Despite a clean installation, the two most obvious things that no longer work are "Quit" (I have to force-quit the application) and the "About" window no longer displays. I've not had it installed for very long, so there may be more discoveries yet to be made. (macOS 10.4.6)...
Yes, that's https://trac…
Yes, that's https://trac.torproject.org/projects/tor/ticket/31607.
Developer! In mobile…
Developer! In mobile versions of Tor Browser for Android devices there is a vulnerability when using "Privacy Tab". After authorization on the site and further closure of the "Privacy Tab" in the browser remain identification data that are not deleted after clearing the cache!
In tests: Re - visit the site after clearing the cache shows automatic registration on the site! In the process of developing the Tor Browser version 9.0a3 - 9.0.a6 for Android this vulnerability persists in the browser. This vulnerability is a constant security threat to all users of Tor Browser for Android!
Version 9.0a3 - 9.0a6 use is dangerous!
Offered to take a test:
1) log on to the website and complete the authorization.
2) do not click on the "exit" button, and clear the browser cache. Page closes. The browser will report: the data has been deleted.
3) re-enter the site without going through the authorization procedure.
You will see that you are logged into your account without entering a login and password.
******************************************************************
Разработчик! В мобильных версиях Tor Browser для андроид устройств наблюдается уязвимость при использовании "Privacy Tab". После авторизации на сайте и дальнейшего закрытия "Privacy Tab" в браузере остаются идентификационные данные которые не удаляются после чистки кэша!
При тестах : Повторное посещение сайта после чистки кэша показывает автоматическую регистрацию на сайте! В процессе разработки Tor Browser версий 9.0a3 - 9.0.a6 для андроид данная уязвимость в браузере сохраняется. Подобная уязвимость представляет постоянную угрозу безопасности всем пользователям Tor Browser для андроид!
Версиями 9.0a3 - 9.0a6 пользоваться опасно!
Предлагаю пройти тест:
1) войдите на сайт и пройдите авторизацию.
2) не кликайте на кнопку "выход", и очистите кэш браузера. Страница сайта закроется. Браузер сообщит: данные удалены.
3) повторно войдите на сайт не проходя процедуры авторизации.
Вы увидите, что вошли в свой аккаунт без ввода логина и пароля.
#26847 This is not fixed as…
#26847 This is not fixed as was stated. This full page pop-up occurs at the oddest of times. As I mentioned awhile ago, it is as relentless as a damn captcha. It even popped up on your email from today with this tor-announce! So please don't claim that it is fixed. Otherwise, thank you again for your work. Let us hope that soon this nuisance will go away. It is difficult to use the computer when it is in the way.
You mean you still get a …
You mean you still get a *full page* popup? (Yes, there is still a popup in case NoScript thinks something is wrong, but it should be way smaller). Which NoScript version are you on? What is the suspicious URL NoScript is reporting?
Thank you gk for your reply…
Thank you gk for your reply. I am on 11.0.3 and yes, there was a full page popup that occurs and holds for a second prior to reducing to a smaller coverage. I don't have the one I mentioned's URL written down, although it came up when I opened your email. It occurs when certain, innocent emails like yours are clicked on and at other times. I usually don't do anything that seemingly causes it. After awhile, you see enough of them that you just want to stop them and get them away as quickly as poss. I know a couple of sights that are guaranteed to make them happen, even though the sites' safety you wouldn't expect compromised. Any thing I can do to help you I will try to do. (I am not as computer savvy as you are, I'm sure). Thanks again.
Do you have an example site…
Do you have an example site which reproduces the problem for you (and does not require logins etc.)?
F.Y.I. - This initial post…
F.Y.I. - This initial post was meant for under the new 8.5.5 Sorry it is in the wrong spot. (not for under 9.0a6).
No worries, our blog is…
No worries, our blog is still quite confusing. :(
After updating, this Tor…
After updating, this Tor Browser does not start in Whonix anymore (the script says "Exited with code 255").
And the freshly downloaded instance does not run either.
And the manual "sh -c ..." launch command appeas to launch it, but nothing really opens up.
Script changes?
I suspect that's https:/…
I suspect that's https://trac.torproject.org/projects/tor/ticket/31646. Does the workaround mentioned in the ticket help for the time being?
Thanks for the possible fix…
Thanks for the possible fix.
I already downgraded this alpha to the stable version. That still runs good in the same system, as before.
I'll be looking for the next great alpha, though.
Thanks for your work!
Georg, can we get an…
Georg, can we get an official statement on whether it's safe to switch to the black Firefox theme when we click on Hamburger Menu > Customize or does it engender fingerprinting concerns? (though I have 0 idea how it could be possible to determine the theme that one is using by JS unless of a potential bug)
OS: Windows_10 x64…
OS: Windows_10 x64 Enterprise 1903 18362.239
Tor 8.8.5
--------------
I can't connect to TOR.
How can I connect to TOR ?
However
Connection is possible when Windows Firewall is disabled.
(I use Maiwarebyte Firewall controll.
Usually set as follows.
Medium Filtering
Outgoing connections that do not match a rule are blocked)
[img]https://i.imgur.com/MDzqX1b.jpg[/img]
Tor is installed below.
C: \ Tor Browse \ Browser
When installing to the original desktop directory,
it was possible to connect to TOR.
-------------------------
[img]https://i.imgur.com/3OoHUIU.jpg[/img]
--------------------------
Error Log:
9/7/19, 02:42:56.770 [WARN] Problem bootstrapping.
Stuck at 0% (starting):
Starting. (Permission denied [WSAEACCES ];
RESOURCELIMIT; count 10;
recommendation warn;
XXX)
9/7/19, 02:42:56.950 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
9/7/19, 02:42:56.960 [NOTICE] DisableNetwork is set.
Tor will not make or accept non-control network connections.
Shutting down all existing connections.
9/7/19, 02:42:56.960 [NOTICE] Delaying directory fetches: DisableNetwork is set.
-------------------
I have to correct, not *all*…
I have to correct, not *all* of the fields are empty, but the "Description" field, where I used to store my notes.
This release doesn't start…
This release doesn't start as a native wayland client, even with the GDK_BACKEND=wayland variable. Sad.
> Tor Browser must be run within the X Window System.
That's probably https://trac…
That's probably https://trac.torproject.org/projects/tor/ticket/31729. We'll see what we can do.
I'm using tor android…
I'm using tor android. Browser has an option to play video on browser's player from websites. Also have an option to save the video. The problem is when i save a video by choosing that option nothing happened. I repeatedly complained on Google play review since more than 1 years. Please help me. What was the problem.
On MacOS 10.13.x, nothing…
On MacOS 10.13.x, nothing happens when clicking Tor Browser > About Tor Browser.
On MacOS, in the Tor Browser…
On MacOS, in the Tor Browser menu, the following items don't work: About Tor Browser, Preferences, Hide Tor Browser, Hide Others, Show All, & Quit Tor Browser.
All of that is tracked in…
All of that is tracked in https://trac.torproject.org/projects/tor/ticket/31607 and we are working on it, thanks!
Already told you but i say…
Already told you but i say it again, it's impossible to close the app Tor, I have to do Alt+Cmd+Esc to close it. I am on Mac OX 10.13.6.
I hope a new release soon. Thanks
Configuring an Android-based…
Configuring an Android-based mobile device for authenticated Version 2 Onion Services
how does it works with the new Tor Browser 8.5.5
i cannot find the torrc and with orbot is doesn't work
How did you used to…
How did you used to configure authenticated v2 versions? And what do you mean with Orbot it does not work? We did not change anything in Orbot. In fact, we are not even using Orbot (anymore) in the browser.
In April of this year @gkgk…
In April of this year @gkgk assured us releasing a separate APK of new Tor Browser (not Orfox) for Android devices. What happened to it? You very well know that new Tor Browser does not support Alwasy-on VPN functionality and the entire Tor network shuts down when you exit new Tor Browser.
Also, Orbot and new Tor Browser do not work together.
Orbot on the other hand, has supported such features and no data leak is possible due to Android's new "Block connection without VPN" function. This is right now the only way to completely tunnel entire Android over Tor network.
We just need a separate APK of Tor Browser which can be used over Orbot.
Looking forward to your response.
Ref.: Reddit Post That Inspired Me!
Latest version added a…
Latest version added a permission in android to change audio settings. What's the purpose of that?
Which permission do you mean…
Which permission do you mean? Any example to trigger this?
It's not triggered, since it…
It's not triggered, since it's not one that can be denied. It's listed as a new permission in the "other" group when viewing the permissions on the play store page. The name may vary by device but for me it's "change your audio settings."
the new alpha 9.0a6 does not…
the new alpha 9.0a6 does not start at all in debian 10, not from source folder and not from command line either. it pauses as if it wants to start but nothing happens?
fresh install from torproject, sig verified, linux 64bit
What happens if you start it…
What happens if you start it from the command line with
./start-tor-browser.desktop --debug
? What errors are you getting?Tor Browser 9.0 Alpha 6 does…
Tor Browser 9.0 Alpha 6 does not use all localization files, except the Connecting window all other strings on Welcome page and menus instead on Macedonian are on English!
* Also I have reported this on ticket #30468 4 days ago.
Yep, thanks. I am about to…
Yep, thanks. I am about to look into it. We have https://trac.torproject.org/projects/tor/ticket/31725 to track that work.
google captha is broken on…
google captha is broken on safer: nothing after solving!
Received unexpected result…
Received unexpected result type undefined, falling back to typed transition. WebNavigation.jsm:217
onURLBarUserStartNavigation resource://gre/modules/WebNavigation.jsm:217
observe resource://gre/modules/WebNavigation.jsm:136
_notifyStartNavigation resource:///modules/UrlbarInput.jsm:1364
_loadURL resource:///modules/UrlbarInput.jsm:1240
handleCommand resource:///modules/UrlbarInput.jsm:446
_initPasteAndGo resource:///modules/UrlbarInput.jsm:1333
Any steps to reproduce this…
Any steps to reproduce this error? Does this happen with a clean Firefox 68 ESR as well?
STR: every PasteAndGo
STR: every PasteAndGo
Thanks. I opened https:/…
Thanks. I opened https://trac.torproject.org/projects/tor/ticket/31764.
We are again seeing DEBUG…
We are again seeing
DEBUG_FLAGS="-g -gcodeview"
in win64 release. Pls, fix it.
Where are you seeing that…
Where are you seeing that and what do you mean with "again"?
Doh, about:buildconfig,…
Doh, about:buildconfig, obviously.
Yeah, but that does not say…
Yeah, but that does not say anything about what actually gets shipped to users. Hence I was asking. The debug info is not included in the bundles distributed (which is why we exempted
libc++.a
from getting created with debug info), so we are good here _and_ we can make progress on https://trac.torproject.org/projects/tor/ticket/31546.Compile without them and…
Compile without them and prove shipped builds are not affected (by comparing hashes). FWIW, it was a confirmed bug in Firefox.
It's not affected in the…
It's not affected in the sense that the debug parts get stripped and are not included in the binary we ship. Care to share a link to that bug here?
HTTPSE doesn't update…
HTTPSE doesn't update rulesets on Tor Browser update :(
What do you mean? What is…
What do you mean? What is supposed to happen but does not actually happen?
Updated TBB and got HTTPS-E…
Updated TBB and got HTTPS-E 2019.6.17 with rulesets, which updated to 2019.9.13 only after several days. And there is no way to force them updating.
RemoteWebProgress failed to…
RemoteWebProgress failed to call onStatusChange: [Exception... "JavaScript component does not have a method named: "onStatusChange"'JavaScript component does not have a method named: "onStatusChange"' when calling method: [nsIWebProgressListener::onStatusChange]" nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)" location: "JS frame :: resource://gre/modules/RemoteWebProgress.jsm :: _callProgressListeners :: line 119" data: no]
2 RemoteWebProgress.jsm:121
_callProgressListeners resource://gre/modules/RemoteWebProgress.jsm:121
onStatusChange resource://gre/modules/RemoteWebProgress.jsm:172
How do you get this error…
How do you get this error message (in a reproducible way)?
I can't disclose that…
I can't disclose that website, but this error doesn't appear on stable.
Okay. If you find some way…
Okay. If you find some way to reproduce that you can share, let us know. Otherwise there is not much we can do about it.
I haven't been using TB much…
I haven't been using TB much in the past few months, but I did a fresh install today because I encountered minor issues I thought could have been caused by a faulty update through the browser's update prompt... happened to notice that NoScript, HTTPS Everywhere, and any other "built-in" extensions don't seem to be present. Is this intentional? [did not change any settings; launched right after clean install] Security Level is present on the toolbar, however...
Thx.
What makes you believe they…
What makes you believe they are not present? Are they visible on the
about:addons
page? Note we re-did the toolbar in Tor Browser 8.5 where where we hid those two extensions from the toolbar (but they are still there).