New Release: Tor Browser 9.5.1
Tor Browser 9.5.1 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox to 68.10.0esr and NoScript to 11.0.32.
Also, this release features important security updates to Firefox.
The Windows installer is now code signed with a new Authenticode certificate. Please report any issues you encounter with this version.
The full changelog since Tor Browser 9.5 is:
- All Platforms
- Update Firefox to 68.10.0esr
- Update NoScript to 11.0.32
- Translations update
- Bug 40009: Improve tor's client auth stability
- Windows + OS X + Linux
- Bug 34361: "Prioritize .onion sites when known" appears under General
- Bug 34362: Improve Onion Service Authentication prompt
- Bug 34369: Fix learn more link in Onion Auth prompt
- Bug 34379: Fix learn more for Onion-Location
- Bug 34347: The Tor Network part on the onboarding is not new anymore
Comments
Please note that the comment area below has been archived.
software certificate from…
software certificate from TBB9.5.1 for mswindows is outdated.
This blog post should be at…
This blog post should be at the top of the page. Thank you for the update.
When is 78 based coming?
When is 78 based coming?
Soon.
Soon.
CAUTION! tor is phoning home…
CAUTION!
tor is phoning home. unwanted traffic to different IPs early after every launch.
Can you provide any more…
Can you provide any more details than this very vague (and harmful) statement?
i'll collect the IPs first…
i'll collect the IPs first and then i'll check if they are listed in torstatus.
what can it be? some dirauth traffic or a new (de)centralized user-IP collecting service?
Please provide the IP…
Please provide the IP addresses so we can help answer these questions.
OP my firewall is blocking…
OP
my firewall is blocking everything except the traffic to my entrynodes.
tor is trying to connect to a random node once - no retry - short after launch and
before the firefox window pops up. happens within 'Bootstrapped 15%'.
there is no error message in the console. it looks like tor tries to send a ping.
95.128.43.164 not listed in torstatus
171.25.193.20
54.36.237.163
86.105.212.130
81.7.14.253
163.172.194.53
54.37.139.118
185.100.86.182
163.172.176.167
163.172.149.155
213.183.60.21
193.70.43.76
212.47.229.2
212.47.233.86
217.279.179.177 not listed in torstatus
95.128.43.164 - https:/…
95.128.43.164 - https://metrics.torproject.org/rs.html#details/616081EC829593AF4232550D…
217.279.179.177 - probably an offline relay
Did you configure the entrynodes or if your firewall allowing the IP addresses of the guards selected at random?
Could you explain what you…
Could you explain what you mean by "offline relay"? Do you mean that if a node drops off Tor Network a few minutes before a Tor client neccessarily using partially out of date information tries to reach out to it, that could appear suspicious to someone worried about "phoning home"?
Yes
Yes
OP Browser Console error…
OP
Browser Console error message:
[Exception... "Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIAppStartup.secondsSinceLastOSRestart]" nsresult: "0x80004001 (NS_ERROR_NOT_IMPLEMENTED)" location: "JS frame :: resource:///modules/BrowserGlue.jsm
:: _collectStartupConditionsTelemetry :: line 1547" data: no]...............................BrowserGlue.jsm:1547:9
_collectStartupConditionsTelemetry resource:///modules/BrowserGlue.jsm:1547
BG__onFirstWindowLoaded resource:///modules/BrowserGlue.jsm:1649
BG_observe resource:///modules/BrowserGlue.jsm:847
_delayedStartup chrome://browser/content/browser.js:2127
_delayedStartup self-hosted:1003
_collectStartupConditionsTelemetry ???
are you collecting startup conditions information over a random tor circuit?
The default behavior of…
The default behavior of Firefox is to collect telemetry on users. Tor Browser disables that behavior, or at least tries to.
With every new Firefox release the telemetry gets more invasive. Tor team must review the code each time to remove the telemetry. While it is possible they might have missed something (because humans are fallible) simply having the word 'telemetry' in an output string doesn't mean its actually connecting to anything. They probably just forgot to remove that output.
More testing amongst many users would be good, to verify this is the case.
i configured my entrynodes…
i configured my entrynodes. they were not selected randomly. i edited torrc and the state-file to:
Guard in=default rsa_id=...........nickname=example1.......
Guard in=default rsa_id=...........nickname=example2.......
Guard in=restricted rsa_id=......nickname=example1.......
Guard in=restricted rsa_id=......nickname=example2.......
there was no additional (or random) traffic necessary to fetch the concensus and this worked over years.
(i know a state-file in a fresh install is different to my one.)
my firewall (IP-based) is blocking this mysterious traffic. nothing else than my entrynodes are allowed.
happens on a fresh install too. it must have to do with your recent changes in 9.5.1. i never had this before.
either tor is trying to send a ping or tor is trying to send data to a collector service or tor tries to fetch some
additional information. TBB works properly without this traffic and i would like to know what it is and how to turn it
off.
This sounds like expected…
This sounds like expected behavior. I'm surprised you haven't seen this previously. The way you are configuring the entry nodes does not enforce only using those nodes. Occasionally tor connects to other entry nodes (in addition to the nodes listed in the state file).
OP ...and how to enforce…
OP
...and how to enforce using the nodes in state-file only?
You don't, that is a…
You don't, that is a terrible hack. Explicitly configure the nodes you want in the torrc file as EntryNodes. If you really, really only want to use a small set of entry nodes then use bridges.
OP ...and where to read…
OP
...and where to read about this 'hack'?
The configuration you…
The configuration you describe is strongly not recommended, so finding information about it is difficult. However, if you feel this is important then search the following web page for EntryNodes and StrictNodes.
https://2019.www.torproject.org/docs/tor-manual.html.en
OP StrictEntryNodes 1 or…
OP
StrictEntryNodes 1 or StrictNodes 1 is not applied before, after EntryNodes, on top or at the bottom
of torrc or torrc-defaults. where to put this expression not to be ignored or break tor?
i've checked a few IPs. not…
i've checked a few IPs. not all of these random nodes are listed in torstatus.
why is tor trying to connect? they are not part of my torrc or state-file.
torstatus is old. Check the…
torstatus is old. Check the IPs on https://metrics.torproject.org/ --> Relay Search or via the Onionoo API.
I am not sure about Tor…
I am not sure about Tor Browser on some OS such as Windows, but Tails certainly expects users to use onion sites, for which it is important that the clock be accurate, so in past editions, when starting Tails, one could see NTP protocol while the Tor client was connecting to the Tor network. In more recent editions, everything seems to be going through Tor, so perhaps trying Tails (tails.boum.org) will alleviate these "phone home" concerns.
Tails uses the same Tor…
Tails uses the same Tor Browser as is available from the torproject.org download page. If there are *any* connections being established without using tor, then that must be fixed.
torproject doesn't use…
torproject doesn't use ublock though?
Yes
Yes
The "important security…
The "important security updates to Firefox" link in the blog post seems to be broken.
Please check again. Mozilla…
Please check again. Mozilla delayed publishing their advisories due to an issue in FF78.
Thank You for an update.
Thank You for an update.
when i have the latest…
when i have the latest update, tor will not let me on. i am running Widows 7; is that a problem?
Can you provide any error…
Can you provide any error messages you receive?
i am running Widows 7; is…
for this issue idk, but in general yes: https://en.wikipedia.org/wiki/Windows_7#After_14_January_2020
Are updates automatically…
Are updates automatically installed over the Tor network? Does the update installer honor configuration like bridges and proxies?
Yes, the update is…
Yes, the update is downloaded over Tor (and the integrity of the downloaded file is checked before the update is applied). The update should not modify the configured bridges or proxies.
Thanks for the response, but…
Thanks for the response, but are the updates themselves downloaded over Tor using the specified bridges or proxies? Would the download itself bypass any of these settings?
No, the update file is…
No, the update file is downloaded using exactly the same configuration as Tor Browser uses for browsing websites.
Is the integrity (hash sum)…
Is the integrity (hash sum) file fetched on the same circuit as the update file? Are the update and the integrity file downloaded from onions or through exit nodes?
Downloading an update…
Downloading an update requires multiple steps. Every server is contacted as a DNS hostname (or IP address) over HTTPS, none of them use onion services (yet).
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/172…
1) Tor Browser contacts server "A" and asks if an update is available. If there is an update, then server "A" responds with metadata about the update file (a URL for that file, the size of the file, the SHA512 hash of the file).
2) Tor Browser follows the provided URL and connects to server "B" and downloads the file
3) Tor Browser verifies the size of the file and sha512 hash of the file are as expected
4) Tor Browser verifies the cryptographic signature on the file. Tor Browser has two public keys hard-coded for which signatures on updates will be accepted.
The update is installed after all checks pass.
cant login to some sites…
cant login to some sites anything uses can does?
Can you provide more details…
Can you provide more details about why you can't login?
This site glitches if I try…
This site glitches if I try posting a comment on the safest security level. I'm on Windows and using 9.5.1, but this issue has been around since 9.5.
That's probably https://trac…
That's probably https://trac.torproject.org/projects/tor/ticket/22530
Yes, that's it. So it's been…
Yes, that's it. So it's been happening since TB 7.0?
Please take a look at this bug: It's a high-priority and majorly severe problem.
Thanks from all of us high-security users.
This is unlikely to be fixed…
This is unlikely to be fixed anytime soon (just as it hasn't been fixed in the last 3 years). Moving to a new blog platform is more likely. Javascript is a de facto requirement on the web now. If you don't want to browse the web with javascript enabled, then that is your choice. The Tor Project puts a lot of effort into making its websites operate seamlessly without javascript available, but sometimes that isn't possible. Unfortunately Drupal is a beast, and solving this problem is not easy. If you want to leave a comment but you don't want to enable javascript, then you should investigate using Tails.
(Not the OP) I am using…
(Not the OP)
I am using Tails 4.8 and just to be clear, to avoid getting caught in an endless loop in which the blog software tries to continually reload the page, you need to drop down from "Safest" to "Safer" in the Tor Browser.
However, I second the recommendation to use Tails (see tails.boum.org). Journalists, activists, political staffers, local and regional government officials, high school students, employees of companies fond of spying on their workforce, all kinds of people should use Tails for everything online (and probably many things offline too).
Windows digital sign check…
Windows digital sign check fails for installer, proceed with caution until developers give explanations.
Can you provide the version…
Can you provide the version of Windows you are using? The installers for this version are signed with a new Windows signing certificate (the new certificate was originally tested in the previous alpha version: 10.0a1).
Re-downloaded it today and…
Re-downloaded it today and passed the sign verification, I had the first download right after it appeared on https://dist.torproject.org yesterday but failed. But please explain why it originally failed and how the signing process works now.
Ah. I see. Yes, before the 9…
Ah. I see. Yes, before the 9.5.1 was officially released the .exe installers were originally signed using the old signing certificate. This installers were re-signed with the new, valid certificate before the new version was announced.
For quite a while now, the…
For quite a while now, the Windows' Torbrowser seems to forget/erase DuckDuckGo searches, so that if a link is clicked in a search and it proves no good, when the browser back button is clicked to go back to the search, DuckDuckGo reverts to a blank starting page, not the previous search results. Very annoying and inconvenient. Is this a cache thing or is there some setting in config that can be changed?
(It does not affect the Android version of TorBrowser, strangely enough)
This is not only seen on…
This is not only seen on Windows, but it is annoying. No one has investigated why this happens, yet.
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/281…
How about using HTTP GET…
How about using HTTP GET instead of POST?
this is what I figured the…
this is what I figured the cause was as well
When you search from the address bar your search terms are sent in a POST request to https://duckduckgo.com/, but when you search from the website they're sent in a GET request to https://duckduckgo.com/?q=your+search+terms. When you click the back button, it doesn't do the same POST request, so instead of searching it just brings you to the DuckDuckGo homepage.
I always thought that…
I always thought that refusing to reload search pages was a feature, not a bug!
Which security level is…
Which security level is active? Did you change security levels after clicking the search result, before clicking the back button?
This happens on Startpage…
This happens on Startpage too. I think it's a privacy feature of the site, (cache-control: max-age=1), so that searches aren't saved in browser history or restore tabs for example. Sometimes I actually get a "Document Expired" error, and reloading the page goes back to the home page.
Kind of defeats the purpose…
Kind of defeats the purpose when all subsequent searches are GET requests and your search terms are in the URL e.g. https://duckduckgo.com/q=lorem+ipsum.
Running a fully updated…
Running a fully updated version of the current release of fedora.
Got the notice several hours ago about the new version 9.5.1 of Tor Browser and clicked the up arrow icon to restart to update.
a small alert window with a progress bar says something like "tor is installing your updates..." and very quickly it finishes and disappears and tor browser opens. But the version still says 9.5 and when I click View Changelog is still says Release Date June 2 2020.
I tried closing and opening tor browser several times several hours ago and again now, but it doesn't actually update. I saw similar behavior the last couple updates, too, but after restarting one or two times then the update worked.
Thank you to your team, I love using Tor & Tor Browser.
Your description sounds like…
Your description sounds like there is a failure in the applying the update. Tor Browser downloads an update and verifies its integrity. After that is successful, the browser notifies you that an update is available and restarting the browser will install it. When the browser restarts, it tries applying the update. When this process fails, then the browser remains on the current version.
You may find a useful/informative log file in the Tor Browser directory under Browser/TorBrowser/UpdateInfo/updates/last-update.log. Some more details can be found on this page https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Platform_I…
Do you see that file and any errors in that file?
Thanks for your answer. Here…
Thanks for your answer. Here's the content of the update log:
[edited: trimmed content]
Were there any additional…
Were there any additional lines at the end of the file? Maybe a line starting with "failed: " or "calling "?
Yes, the last two lines are:…
Yes, the last two lines are:
failed: 64
calling QuitProgressUI
The last several lines before that are:
Thanks. That "failed:"…
Thanks. That "failed:" number indicated the update failed while it tried writing an updated version of a file onto your hard drive. As the below comment suggests, this could be due to having insufficient disk space for the new version. Firefox (and Tor Browser) do not handle this situation well.
That was it! Freeing up disk…
That was it! Freeing up disk space solved it, thanks sysrqb and Anonymous below.
Make sure you have plenty of…
Make sure you have plenty of free space in the filesystem or the update may fail silently.
Why doesn't torblog use /…
Why doesn't torblog use / have an onion address ?
https://blog.torproject.org…
https://blog.torproject.org/comment/288432#comment-288432
I´ve noticed enterprise…
I´ve noticed enterprise policies are working again. Does that mean it´s now considered safe?
https://blog.torproject.org…
https://blog.torproject.org/comment/288339#comment-288339
Hi, The browser does not…
Hi,
The browser does not open and sometimes even if it opens the tab crashes. The OS is Windows 8.1 Pro, 64 bit and Antivirus is Quick Heal Internet Security Essentials. I tried disabling the antivirus, firewall but nothing seems to work. Please help...
TBB on Windows 7 32bit is OK…
TBB on Windows 7 32bit is OK! THNX
All downloads fail on…
All downloads fail on completion. Re-installed 9.5 and downloads work again.
Can you see any reason for…
Doe the log file provide any more information? Please see https://blog.torproject.org/comment/288477#comment-288477 for more information.
Love TOR!
Love TOR!
Why the useragent must be,…
Why the useragent must be, when Javascript is on, unspoofable?
https://blog.torproject.org…
https://blog.torproject.org/comment/288302#comment-288302
" trade-off: break the web…
" trade-off: break the web or reveal the OS. "
That's no explanation for i'm forced to reveal the real OS, especially with Javascript on.
Suddenly, the devs switch off this Anti-Fingerprinting Defense.
ALL older versions have had this feature and it's strange to make it impossible to spoof the usaeragent.
-- Hello! Need some help: …
--
Hello! Need some help:
There is a discussion with OpenNet-site owner to provide onion-mirror of the site - https://www.opennet.ru/openforum/vsluhforumID4/591.html
It looks like OpenNet is already quite friendly to Tor-users, unfortunately owner is quite conservative and requests the reasons to run onion-service. Have to say I share some his concerns and thus I did a brief web-search:
https://community.torproject.org/onion-services/
--
What are Onion Services?
Onion services are services that can only be accessed over Tor.
Running an onion service gives your users all the security of HTTPS
with the added privacy benefits of Tor Browser.
--
https://riseup.net/en/security/network-security/tor/onionservices-best-…
--
Onion services don’t need to be hidden!
You can provide a onion service for a service that you offer publically on a server that is not intended to be hidden.
Onion services are useful to protect users from passive network surveillance,
they keep the snoopers from knowing where users are connecting from and to.
--
Ask your favorite online service to provide an onion service!
Advocate for more onion services by asking those who provide the services that you use to make them available.
They are easy to setup and maintain, and there is no reason not to provide them!
--
Summarizing the above - onion-version of OpenNet may
* bring some (what?) "added privacy benefits" to users.
* "keep [the evils] from knowing where users are connecting from"
- Could you please say - What did I miss?
Concerning RiseUp's "there is no reason not to provide them" - the site-owner argues that extra functionality potentially increase number of vectors for attacks. Thus "there is no reason not to" - is not a reason to do :-)
Could anybody provide more arguments for adding onion-service?
Personally I see the reason to keep a browsing within TorNetwork
* to avoid ClearNet DNS-requesrs and
* (probably) avoid pumping Web-traffic via any of TorExitNodes (as ones are potentially more risky?).
- so this is all about "to protect users", are there any other reasons?
Dos it mean that all the onion-stuff is about - "to protect users"? Does onion-version protects users sufficiently better than Tor+HTTPS?
Also unfortunately https://www.eff.org/pages/tor-and-https does not illustrates the situation with onion-services.
So -
* What are benefits of visiting site-onion-version over Tor+HTTPS for users?
* Are there pitfalls of keeping site-onion-version for site maintainers?
Also https://community.torproject.org/onion-services/overview/
provides some descriptions -
* "Location hiding" - it is not hidden site, seems like unnecessary for this situation
* "NAT punching" - not sure about, seems like unnecessary for this situation
* "End-to-end authentication" - i.e. about avoiding DNS-attacks and MITMs
* "End-to-end encryption" - i.e. strong crypto
Are there any advocates to help to point to extra reasons to prepare onion-service of opennet.ru?
--
My Tor Browser reveals all…
My Tor Browser reveals all the fonts that I have when I have JavaScript enabled. For that reason, I can't enable JavaScript or else my fingerprint is in fact very unique according to EFF Panopticlick and others. What can I do?
It does not, Tor Browser…
It does not, Tor Browser only reveals a small amount of installed fonts. See the following information at https://2019.www.torproject.org/projects/torbrowser/design/#fingerprint… (search for "6. Fonts"):
"For Windows and macOS we use a preference, font.system.whitelist, to restrict fonts being used to those in the whitelist. This functionality is provided by setting privacy.resistFingerprinting to true. The whitelist for Windows and macOS contains both a set of Noto fonts which we bundle and fonts provided by the operating system. For Linux systems we only bundle fonts and deploy a fonts.conf file to restrict the browser to use those fonts exclusively. In addition to that we set the font.name* preferences for macOS and Linux to make sure that a given code point is always displayed with the same font. This is not guaranteed even if we bundle all the fonts Tor Browser uses as it can happen that fonts are loaded in a different order on different systems. Setting the above mentioned preferences works around this issue by specifying the font to use explicitly. "
TorBrowser for Android:…
TorBrowser for Android: after version 9.5 finally stopped leaking locale in the http_accept headers, version 9.5.1 unfortunately shows this behavior again. Why?
9.5 did not change that…
9.5 did not change that behavior.
HELLO everyone. How can I…
HELLO everyone.
How can I fully turn off telemetry and associated things? Because in last update settings like "allow Mozilla collect data..." got removed from setting`s panel and how I understood due to comments session - its now switched on by default...
They are already disabled…
They are already disabled. Tor Browser should not send any telemetry.
Yo sooo for some reason I…
Yo sooo for some reason I have a bug that whenever I open links from other apps like let's say I oppend a link from an email tor will not load the link even if I refresh it
Scan Started Wed May 20 04…
Scan Started Wed May 20 04:38:00 2020 (ClamWin Antivirus+ClamSentinel active shield)
C:\...\torbrowser-install-9.5a12_en-US((32bit)).exe: Win.Malware.Nymeria-6913499-0 FOUND
C:\...\torbrowser-install-9.5a12_en-US((64 bit)).exe: Win.Malware.Nymeria-6913499-0 FOUND
What about that?
Probably false-positive.
Probably false-positive, if you verified the Tor Browser installer wasn't modified.
If http download via Tor…
If http download via Tor Browser itself doesn't work, what is the fallback?
In recent weeks I have often experienced the following while trying download various files in various formats from various sites, including TBB 9.5.1 from this site (both the www and onion version), using Tor Browser:
Initially the download seems to be proceeding normally, but when it is about 90% complete (independent of file size) the connection is severed. Clicking "reload" sometimes starts from byte 0 and then fails, and sometimes loads a few more bytes and then fails.
In such cases I have only been able to obtain the file using
torify wget -c ""
but this does not work for onion sites.
Three questions:
o is there an innocuous explanation for these download failures?
o can Tor Project suggest a workaround?
o seeing the "onion available" notice at right in the URL pane is very nice feature, but shouldn't (left? right?) clicking on that notice load the onion version? This does not seem to work for me.
We haven't received other…
We haven't received other reports of the downloading issue. Can you provide an example?
Clicking on the "onion available" button doesn't do anything?
it's not working well on…
it's not working well on macos Big Sur beta , whatever website i open it shows a blank page , it loads the page but everything is hidden
Tor keeps on immediately…
Tor keeps on immediately crashing when started up, before you can even see the connect button
Was happening on the last version (alpha and release) before this one
Log: https://pastebin.com/irNQBMiA
Original Reddit Threadhttps://www.reddit.com/r/TOR/comments/hlk3cx/tor_crashes_on_startup/
huh. https://www.reddit.com…
huh.
https://www.reddit.com/r/TOR/comments/hlk3cx/tor_crashes_on_startup/fx2…
https://gitlab.torproject…
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/400…
I think this topic is an…
I think this topic is an ongoing issue; please correct if I am wrong. I want privacy/safety as we all do. Adjusting script threshold lower does not sound like a good idea (to me). Can you somehow shorten or eliminate the devilish NoScript warning that leaps onto the screen filling and covering the page that I am looking at and then getting smaller although still covering my work? It doesn't seem to care what site I am on and affects my using the computer. It happens too often and is always annoying. I get to where picking the choices is not as good as just x'ing it out. Give it some thought. Thank you.
Are you referring to the XSS…
Are you referring to the XSS protection popup window?
Thank you Tor Project for…
Thank you Tor Project for the amazing work you do! We love you!
It seems TB 9.5.1 is allowing ads through, and suggests terms when I start typing in the url field: things that the previous TB version I had did not do. This is even on "Safest" security settings. I know how to change these behaviors, but I generally never modify TB's settings, as it makes me more unique. Are these changed behaviors known and on purpose? This is on Linux Mint 19.3 and 20 with TB 9.5.1.
No, nothing should've…
No, nothing should've changed in how Tor Browser behaves as you described.
For the last 2 releases…
For the last 2 releases there's been a large border around the browser. The thickness of this border depends on the width and height of the browser. When the browser is in full screen, the left and right borders are pretty wide and the bottom one is extremely wide (I would guesstimate it to be about 10% of the window height).
Here are a few notes from some troubleshooting I've done.
I'm guessing you are…
I'm guessing you are referring to Letterboxing:
https://support.torproject.org/tbb/maximized-torbrowser-window/