New Release: Tor Browser 9.0a7
Tor Browser 9.0a7 is now available from the Tor Browser Alpha download page and also from our distribution directory.
Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
This is the second alpha release based on Firefox ESR68. This new release contains various improvements and bug fixes. Among them, the Snowflake pluggable transport is now available on Windows too, the issue with non-reproducible builds for the 32bit Linux and Windows bundles have been fixed (we are still working on fixing the issue with the Android ones), and we added support for the x86_64 target on Android (fulfiling Google Play's new requirement for 64bit versions, allowing us to provide an x86 version again). This release also updates Tor to 0.4.2.1-alpha on desktop and 0.4.1.5 on Android. Finally, this alpha release is the first one that is compatible with the upcoming new macOS version (10.15).
Known issues:
- The build of Tor Browser 9.0a7 for Android is not reproducible right now. We plan to fix this in the next alpha release, to give the usual guarantees reproducible builds aim to provide.
- New Identity and the bridge configuration in the browser are not easily accessible anymore as we removed the onion button. We are currently working on a replacement for both: New Identity will be exposed directly in the toolbar and the bridge configuration gets integrated in the Firefox settings. For New Identity please use the shortcut (Ctrl+Shift+U) for now or the item in the hamburger menu.
- Tor Browser on macOS can't get closed from the app menu anymore and other app menu items are not working either.
- We already have a number of known tickets we need to work on in the coming weeks. The most important ones are tagged with the tbb-9.0-must-alpha keyword. Moreover, we have accumulated Firefox 68 ESR related issues over the time that can easily be queried with our ff68-esr keyword.
If you find any issue with this release, please help us by reporting them so we can fix as much as we can before the first stable release based on ESR68, which is planned for October 22.
The full changelog since Tor Browser 9.0a6 is:
- All platforms
- Bug 30304: Browser locale can be obtained via DTD strings
- Bug 31065: Set network.proxy.allow_hijacking_localhost to true
- Bug 24653: Merge securityLevel.properties into torbutton.dtd
- Bug 31725: Pick up mk in Torbutton properly
- Bug 31164: Set up default bridge at Karlstad University
- Bug 15563: Disable ServiceWorkers on all platforms
- Translations update
- Windows + OS X + Linux
- Update Tor to 0.4.2.1-alpha
- Update OpenSSL to 1.1.1d
- Bug 31844: OpenSSL 1.1.1d fails to compile for some platforms/architectures
- Update Tor Launcher to 0.2.19.4
- Bug 31598: Disable warning on window resize if letterboxing is enabled
- Bug 31562: Fix circuit display for error pages
- Bug 31575: Firefox is phoning home during start-up
- Bug 31491: Clean up the old meek http helper browser profiles
- Bug 26345: Hide tracking protection UI
- Bug 31601: Disable recommended extensions again
- Bug 30662: Don't show Firefox Home when opening new tabs
- Bug 31457: disable per-installation profiles
- Bug 28822: Re-implement desktop onboarding for ESR 68
- Bug 25483: Provide Snowflake based on Pion for Windows, macOS, and Linux
- Windows
- Bug 30800: ftp:// on Windows can be used to leak the system time zone
- OS X
- Linux
- Android
- Build System
- All platforms
- Windows
- Bug 30384: Use 64bit containers to build 32bit Windows Tor Browser
- Bug 31538: Windows bundles based on ESR 68 are not built reproducibly
- Bug 31584: Clean up mingw-w64 project
- Bug 31596: Bump mingw-w64 version to pick up fix for #31567
- Bug 29187: Bump NSIS version to 3.04
- Bug 31732: Windows nightly builds are busted due to mingw-w64 commit bump
- Linux
Comments
Please note that the comment area below has been archived.
Bookmark import/export in…
Bookmark import/export in mobile Tor Browser?
Yes, that is not implemented…
Yes, that is not implemented yet and still tracked in https://trac.torproject.org/projects/tor/ticket/31617.
OT but important: I do not…
OT but important:
I do not have email but need to report misbehaving Tor infrastructure. How?
I guess you could open a bug…
I guess you could open a bug in our bugtracker (https://bugs.torproject.org). We can put it in the right category then or ping the right people. If it's a security issue we have our security mailing list: tor-security[@]lists[.]torproject[.]org (without the brackets).
> Among them, the Snowflake…
> Among them, the Snowflake pluggable transport is now available on Windows too...
I downloaded the alpha for my Windows box but I don't see Snowflake extension either on Customize or Add-Ons page (there are only NoScript and HTTPS Everywhere). Where is it?
Speaking of Snowflake, reading about it Snowflake uses WebRTC to function. Yet WebRTC can leak real IP Address, and as far as I know TBB disabled them by default. So how does it work when it's included in TBB?
There is no extension…
There is no extension shipped. The extension is for helping other people by *offering* to route their traffic to your system. However, the pluggable transport we ship is for helping people that are censored and need to find someone (who might be running the snowflake extension in the browser). You can select it like any other bridge/pluggable transport during start-up.
Yes, WebRTC is disabled in Tor Browser. The snowflake pluggable transport is provided by a separate binary which is running outside of the browser context but is bundled with it.
It seems users can't…
It seems users can't distinguish Snowflake PT and Snowflake. It needs some action. And, please, don't scary users with bundled WebRTC. It's a highly restricted version that has no relevance to what users call WebRTC.
Will you ship snowflake for…
Will you ship snowflake for stable Tor Browser users?
That's the plan at some…
That's the plan at some point, yes. Tor Browser 9 might be too early for that as the anticensorship team is still working on getting Snowflake in a shape suited for stable usage.
Error: TelemetryStopwatch:…
Error: TelemetryStopwatch: key "WEBEXT_CONTENT_SCRIPT_INJECTION_MS" was already initialized ExtensionTelemetry.jsm:109:31
Error: TelemetryStopwatch: key "WEBEXT_CONTENT_SCRIPT_INJECTION_MS_BY_ADDONID" was already initialized ExtensionTelemetry.jsm:113:41
How can I reproduce those…
How can I reproduce those errors?
New NoScript RC is a…
New NoScript RC is a disaster :(
> Tor Browser 9.0a7 is now…
> Tor Browser 9.0a7 is now available from the Tor Browser Alpha download page and also from our distribution directory.
And Google Play?
Yes, the mobile version…
Yes, the mobile version should be on Google Play as well and F-Droid is coming soon, too.
Oh, you don't want to…
Oh, you don't want to advertise Google Play in your blog no more. Makes sense.
> https://www.torproject.org…
> https://www.torproject.org/download/alpha/
x86_64 target on Android?
Thanks. I filed https://trac…
Thanks. I filed https://trac.torproject.org/projects/tor/ticket/31926.
Crash Guard Disabled…
Crash Guard Disabled Features
wmfvpxvideoCrashGuard
Failure Log
(#0) Error WMF VPX video decoding is disabled due to a previous crash.
(#1) CP+[GFX1-]: WMF VPX video decoding is disabled due to a previous crash.
How can I reproduce that…
How can I reproduce that crash? On which operating system is this happening?
WMF on which operating…
WMF on which operating system? Nice joke. That's an expected crash. No fingerprinting vector except performance. Nothing to worry about.
It could be Windows 7 or 10…
It could be Windows 7 or 10 maybe and that could make a difference. That said without more context it's hard to say what is going on. Maybe something like https://bugzilla.mozilla.org/show_bug.cgi?id=1570046?
It is how they test for HW…
It is how they test for HW VPX currently. Seems not fingerprintable.
partial update is not clean;…
partial update is not clean; logs:
NS_main: unable to remove directory: tobedeleted, err: 41
Where/when do you have this…
Where/when do you have this error?
Win 10 x64
Win 10 x64
I created https://trac…
I created https://trac.torproject.org/projects/tor/ticket/31984 to track this issue. Please direct follow up comments there.
Snowflake LICENSE file is in…
Snowflake LICENSE file is in Docs\snowflake, while others are in Docs\Licenses\PluggableTransports
Thanks, I filled this ticket…
Thanks, I filled this ticket:
https://trac.torproject.org/projects/tor/ticket/31932
Snowflake README.md file has…
Snowflake README.md file has:
- [x] Can browse using Tor over Snowflake.
- [ ] Reproducible build with TBB.
Thanks, that part of the…
Thanks, that part of the README was somewhat obsolete. I removed it in https://gitweb.torproject.org/pluggable-transports/snowflake.git/commit….
[10-02 09:53:52] Torbutton…
[10-02 09:53:52] Torbutton INFO: New window
[10-02 09:53:52] Torbutton INFO: called init()
[10-02 09:53:52] Torbutton INFO: This is a Tor Browser
[10-02 09:53:52] Torbutton INFO: Initializing the Torbutton button.
[10-02 09:53:52] Torbutton INFO: get_toolbutton(): did not find torbutton-button 3
[10-02 09:53:52] Torbutton INFO: init completed
Do you have any details that…
Do you have any details that can help reproduce this issue?
Doesn't "Torbutton INFO: New…
Doesn't "Torbutton INFO: New window" sound for you?
You removed torbutton-button. Needs a cleanup.
Yes, https://trac.torproject…
Yes, https://trac.torproject.org/projects/tor/ticket/28745 has a patch up for review doing that.
about:addons Plugins is empty
about:addons
Plugins is empty
Yes, there should be no…
Yes, there should be no plugins there.
There should be `Enable…
There should be `Enable plugins` button. See stable.
Bug 39187: Bump NSIS version…
Error: Invalid ticket number
Ticket 39187 does not exist.
Thanks, fixed.
Thanks, fixed.
Bug 31450: Use still GCC for…
Still use GCC
Thanks, fixed.
Thanks, fixed.
could tor add an snowflake…
could tor add an snowflake switch in TTB for server? i don't think who want be a volunteer will run another browser in using TTB , but if it is a button in TTB, they will. an add-on for webrtc may cause privacy problem, just a switch for standlone snowflake program, but in TTB.
The problem is that Tor…
The problem is that Tor Browser has no WebRTC support for anonymity and privacy reasons.
TypeError: win is null…
TypeError: win is null ExtensionUtils.jsm:104:3
Do you have steps to…
Do you have steps to reproduce the error?
CSS Exfil Vulnerability…
CSS Exfil Vulnerability Tester. https://www.mike-gualtieri.com/css-exfil-vulnerability-tester
The technique can also be used to de-anonymize users on dark nets like Tor. Defense methods are discussed for both website operators as well as web users, and a pair of browser extensions are offered which guard against this class of attack.
Introducing CSS Exfil
Several months ago I began tinkering with Chrome's XSS auditor looking for bypasses. One remote injection method which reliably got through Chrome's filter was CSS injection. By utilizing injected CSS, an attacker essentially has complete control over the look-and-feel of a page. I also discovered an attacker can leverage CSS to steal form data. By utilizing CSS alone, browser protections like NoScript can't block the egress of data (although NoScript's XSS auditor is more effective than Chrome at blocking some of the injection Proof of Concept attacks detailed below).
While CSS injection is not a new vulnerability, using CSS as the sole attack vector to reliably exfiltrate data - to my knowledge - has never been presented. I am also not aware of any effective method previously documented to guard end users against such attack - other than to block CSS, which is not a practical solution.
I understand that installing…
I understand that installing other extensions is not advised; that being said, DTA has finally been re-released :) as a WebExtension, which generally works as expected in Firefox, but I'm having trouble with it in TorBrowser. Any idea why I might be experiencing issues?
Again, I realize that those of you working on TB are not involved in any way with DTA (which is still working out the kinks), but I'm trying to find out why I'm having problems since ESR 68 reportedly works.
Basic functionality like adding a targeted file to the Download Manager does not even show up, therefore a d/l never runs, completes, or even appears. This still happens while enabling only DTA, even after restarting.
I'm not attempting to d/l large files or anything (always mindful of others' needs on the network). Most are much smaller than 1mb. I also don't leave the extension enabled, even in my FF browser; I only enable it after pages have finished loading, if I need it multiple (smaller) files.
Thank you for any help you could provide.
intermittent Secure…
intermittent
Secure Connection Failed
An error occurred during a connection to ****.com. PR_END_OF_FILE_ERROR
From https://developer…
From https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Referenc…
PR_END_OF_FILE_ERROR
Unexpectedly encountered end of file (Mac OS only).
but that's on Win 10!
[10-05 05:09:49] Torbutton…
[10-05 05:09:49] Torbutton INFO: New domain isolation for --unknown--: 891f840bfd9f26cfae3623da63e4701b
[10-05 05:09:49] Torbutton INFO: tor SOCKS: https://****.org/.../avatars/35d.png via
--unknown--:891f840bfd9f26cfae3623da63e4701b
:(
Do you have steps to…
Do you have steps to reproduce the problem?
Unfortunately non…
Unfortunately non-reproducible in any known way. Possibly, some kind of race condition.
Hrm, okay. I can try to look…
Hrm, okay. I can try to look whether we can find a way to track this down. Let us know whether you find one, too. Thanks.
OK, FWIW, there are many…
OK, FWIW, there are many avatars in the form of https://****.org/.../avatars/XXX.png, but only one of them went through the catch-all circuit and only one time. Maybe, cache-related.
Regarding the bug smash…
Regarding the bug smash project:
Some years ago comments in this blog warned that attackers are likely to exploit bugs to mess with the PRNG because non-randomness is less likely to be noticed. Just such an attack on Firefox has been described:
Kaspersky warns of encryption-busting Reductor malware
Infection manipulates browsers to snoop on TLS comms
Shaun Nichols in San Francisco
3 Oct 2019
> ...
> "The solution that Reductor’s developers found to mark TLS traffic is the most ingenious part," Kaspersky explained. "They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process’s memory." By compromising the random number generator, the malware's operators would know ahead of time how the traffic will be encrypted when the victim establishes a TLS connection, and have the ability to mark that traffic for later use. From there, the malware can easily decode the traffic and see what the transmitted data is, then send anything of interest back to the command server. Because this data can be decoded, the attacker has no need to actually tamper with the traffic while it is in transit, and thus is able to function without alerting security tools or administrators that something is amiss.
you need to solve captcha 5…
you need to solve captcha 5 times correctly to access google.com. madnesssss
http://rqef5a5mebgq46y5…
http://rqef5a5mebgq46y5.onion/ doesn't 404, it says "403 Forbidden", my bad.
Thanks for the report. This…
Thanks for the report. This issue should be fixed now.
TypeError: videoElement is…
TypeError: videoElement is undefined TopLevelVideoDocument.js:21:5
setFocusToVideoElement chrome://global/content/TopLevelVideoDocument.js:21
Do you have steps to…
Do you have steps to reproduce this problem? If so, which are they?
Open any video file / direct…
Open any video file / direct link in a new tab.
I did that with https://live…
I did that with https://live.serve-u.de/transfer/cccamp2019/CCCamp2019_night_4k_Stream… on my Linux box but did not see any error message in the browser console. Which operating system are you on?
Win 10 1903
Win 10 1903
Same error is thrown for me…
Same error is thrown for me.
MacOS Catalina
https://demo.bitmovin.com…
https://demo.bitmovin.com/public/firefox/av1/ dies on Windows.
What does "dies" mean here?…
What does "dies" mean here? I can play this video on a Windows 7 box fine.
The latest version of…
The latest version of Windows is 10.0.18362.356. And there:
Media resource blob:https://demo.bitmovin.com/5e6cbd25-351b-43aa-93b6-72e6b87fdae8 could not be decoded, error: Error Code: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005)
Details: error creating Video decoder av1
https://bugzilla.mozilla.org…
https://bugzilla.mozilla.org/show_bug.cgi?id=1376814 or move out the default extensions (they should be moved from profile to application directory anyway).
I tested both TB855 and this…
I tested both TB855 and this alpha, and noticed a strange difference. The stable release only uses tor.exe to connect to the web, but the alpha also attempts to connect via firefox.exe.
Not sure what this means. But I recently spend 2 days trying to stop a fresh Firefox install from making unsolicited connections to the web (without success). So I wonder if this is related.
Where are those connections…
Where are those connections going to? And how do you see that firefox.exe is making connections in the first place?
I have ComodoFirewall…
I have ComodoFirewall installed.
Here are some IPs Firefox.exe is trying to connect to:
93.184.221.240:80
8.247.186.126:80
5.102.166.9:80
5.102.166.10:80
13.107.4.50:80
Does TOR Browser for Android…
Does TOR Browser for Android support custom obfs4 bridges? It seems to me it doesn't.
It's currently broken but we…
It's currently broken but we are investigating: https://trac.torproject.org/projects/tor/ticket/30767.
This code of conduct is…
This code of conduct is shared under a Creative Commons CC-BY-SA 4.0
International license.
This code of conduct uses some language and framing from the Citizen Code of
Conduct, which is shared under a CC-BY-SA license: citizencodeofconduct.org
[1] https://trac.torproject.org/projects/tor/wiki/org/CommunityCouncil
[2] https://gitweb.torproject.org/community/policies.git/tree/community_cou…
So, you claim the licenses…
So, you claim the licenses are incompatible? Or that we did not mention the other website as inspiration? Or...?
I'm guessing you're aware of…
I'm guessing you're aware of this, but in any case - I get this in my output on GNU/Linux:
Fontconfig warning: "/path/Browser/TorBrowser/Data/fontconfig/fonts.conf", line 145: blank doesn't take any effect anymore. please remove it from your fonts.conf
Fontconfig on my system is at version 2.12.6.
Yes, see: https://trac…
Yes, see: https://trac.torproject.org/projects/tor/ticket/22787. It just did not bubble up into our ToDo list. :( (Please help if you can)
Rebasing TBB on FF68 seems…
Rebasing TBB on FF68 seems like it's taking a lot of effort. Thank you, for all your hard work!
It does indeed take a lot of…
It does indeed take a lot of effort, thanks!
https://www.ghacks.net/2019…
https://www.ghacks.net/2019/10/09/hide-private-mode-for-firefox-prevent…
"prevents private browsing mode detection" is a must-have.
Why don't you return meek…
Why don't you return meek-cloudflare as one of the default bridges now that CloudFlare supports ESNI? Isn't that even better than to use domain fronting on Azure?
There has been some initial…
There has been some initial work and evaluation on using ESNI in meek (see https://trac.torproject.org/projects/tor/ticket/28168).
However, we're not moving forward with it immediately for two main reasons:
1) ESNI hasn't seen widespread deployment or adoption yet. We're concerned that relying on it would just get ESNI blocked by censors before it has a chance to proliferate. See the following discussion in the traffic obfuscation mailing list for more details: https://groups.google.com/forum/#!msg/traffic-obf/e7y4xQRUrXA/sE0aSpnpB…
2) It would be technically difficult to integrate ESNI after moving to meek-lite with uTLS, since golang doesn't yet have ESNI support. Waiting for this support might be one way to ensure that ESNI has been adopted widely enough to move forward :)
Error: Cannot start…
Error: Cannot start installing from this state XPIInstall.jsm:1346:15
How can I reproduce this…
How can I reproduce this error message?
Request to access cookie or…
Request to access cookie or storage on “https://www.https-rulesets.org/v1//rulesets-signature.1570565711.sha256” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. _generated_background_page.html
really noisy spam or real access?
Not sure. How can one…
Not sure. How can one reproduce that message?
every other rulesets update,…
every other rulesets update, automatic
Okay, I've filed https:/…
Okay, I've filed https://trac.torproject.org/projects/tor/ticket/32107. If there is more to add, please do in the bug ticket.
this.inputField is undefined…
this.inputField is undefined UrlbarInput.jsm:818
_setValue resource:///modules/UrlbarInput.jsm:818
set value resource:///modules/UrlbarInput.jsm:792
URLBarSetURI chrome://browser/content/browser.js:3351
onLocationChange chrome://browser/content/browser.js:5885
callListeners chrome://browser/content/tabbrowser.js:841
_callProgressListeners chrome://browser/content/tabbrowser.js:855
_callProgressListeners chrome://browser/content/tabbrowser.js:5499
onLocationChange chrome://browser/content/tabbrowser.js:5919
_callProgressListeners resource://gre/modules/RemoteWebProgress.jsm:119
onLocationChange resource://gre/modules/RemoteWebProgress.jsm:161
receiveMessage resource://gre/modules/RemoteWebProgress.jsm:286
How can I reproduce this…
How can I reproduce this error?
every NS CTP
every NS CTP
Could you spell "NS CTP" out…
Could you spell "NS CTP" out? I have no idea what that means.
noscript click-to-play
noscript click-to-play
File not found An error…
File not found
An error occurred during a connection to onlinefreechat.com.
Check the file name for capitalization or other typing errors.
Check to see if the file was moved, renamed or deleted.
WTF?
Have a look what the page…
Have a look what the page source says: "TOR is blocked due to spam and scams".
Yep, but why does it show …
Yep, but why does TBB show "File not found"?
InvisibleToDebugger:…
InvisibleToDebugger: DOMException { }
history-persistence.js:31:15
historyPersistenceMiddleware resource://devtools/client/webconsole/middleware/history-persistence.js:31
How can we reproduce this…
How can we reproduce this exception?
IDK
IDK
Seems to perform much more…
Seems to perform much more smoothly than previous stable versions (<= 8.5.x). In particular, it now loads and opens immediately, even when set to higher security levels. In previous versions it would take quite some time while spinning up CPU. I've also tested with uBlock Origin and there is no impact on performance at all, across all security levels. I think Bug 23719 might be considered fixed.
In any case, great work!
Thanks! Interesting that …
Thanks! Interesting that #23719 is not an issue anymore. Either way, we'll have a patch there shortly to be extra sure we are not affected by that bug anymore. So, we'll close the ticket once this lands.
But not on Windows :(
But not on Windows :(
Probably an upstream issue,…
Probably an upstream issue, but the browser opens a download prompt when response header for RSS XML content is received, e.g.:
content-type: application/rss+xml; charset=utf-8
In comparison FF-ESR 60 (Tor Browser 8.5) display RSS XML as an HTML document that lists feed items.
Are you able to reproduce…
Are you able to reproduce that with a normal Firefox ESR 68? (you can find bundles at: https://www.mozilla.org/en-US/firefox/enterprise/#download)
My bad, it was actually…
My bad, it was actually removed upstream in Firefox 64:
https://www.mozilla.org/en-US/firefox/64.0/releasenotes/
VERY ANGRY!!! the launcher…
VERY ANGRY!!!
https://bugzilla.mozilla.org/show_bug.cgi?id=1587642
about:support Launcher…
about:support
Launcher Process Disabled due to failure
when you block access to registry. Nonsense!
Are you suggesting we should…
Are you suggesting we should fix that ourselves? And if so, how would a fix look like?
tbb-disk-leak, fwiw. It…
tbb-disk-leak, fwiw. It should write to a file in the app data directory instead of Windows registry!