New Release: Tor Browser 9.5a4
Tor Browser 9.5a4 is now available from the Tor Browser Alpha download page and also from our distribution directory.
Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
This release features important security updates to Firefox.
This new alpha release picks up security fixes for Firefox 68.4.0esr and 68.4.1esr. In addition, this release updates the bundled NoScript extension to its latest version.
Reproducible Builds
The issue with reproducible builds mentioned in the 9.0.1 blog post is now resolved in this release.
ChangeLog
The full changelog since Tor Browser 9.5a3 is:
- All Platforms
- Update Firefox to 68.4.1esr
- Bump NoScript to 11.0.11
- Translations update
- Update OpenPGP keyring
- Bug 31134: Govern graphite again by security settings
- Bug 31855: Remove End of Year Fundraising Campaign from about:tor
- Bug 32053: Fix LLVM reproducibility issues
- Bug 32547: Add new default bridge at UMN
- Bug 32659: Remove IPv6 address of default bridge
- Windows + OS X + Linux
- Build System
Comments
Please note that the comment area below has been archived.
> In addition, this release…
> In addition, this release updates the bundled NoScript extensions to its latest version.
Not sure how many extensions you have, but this release downgrades NoScript from 11.0.12 to 11.0.11...
That is unfortunate. There…
That is unfortunate. There is only one NoScript extension, but I see version 11.0.12 was released within the last few days. The Tor Browser release was frozen earlier in the week. Tor Browser should automatically upgrade NoScript to version 11.0.12 (again).
browser.display.document…
browser.display.document_color_use is still broken, and does not honor '2' the way ESR does.
IE, "colors" dialog page still broken.
Please, stop shipping…
Please, stop shipping Windows Components (d3dcompiler_47.dll) with your bundle.
Why?
Why?
For many different reasons…
For many different reasons... (each version of windows has its own version of that component, it is not recommended to ship windows components, you have to maintain it, etc)
We need to bundle it…
We need to bundle it otherwise it will break for a bunch of users. See https://bugzilla.mozilla.org/show_bug.cgi?id=1460620
I know about this ticket,…
I know about this ticket, and that bunch of users are out of scope as with UCRT. Up-to-date Windows has it, other configurations are not secure and shouldn't be supported.
Up-to-date Windows include…
Up-to-date Windows include telemetry spyware.
See how MS handles it: • All…
See how MS handles it:
• All updates for .NET Framework 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, and 4.6 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see KB 4019990.
https://support.microsoft.com/en-us/help/4535102/kb4535102
If d3dcompiler_47.dll is…
If d3dcompiler_47.dll is available on the system, then this is the version that gets used. We ship it for the Windows 7 users who don't have it on their system, doing the same as what Mozilla is doing.
Exactly, but you shouldn't…
Exactly, but you shouldn't. Security and Mozilla are incompatible. You shouldn't do what they are doing. It's like using Firefox instead of Tor Browser.
> Bug 32676: Create a…
> Bug 32676: Create a tarball with all Linux x86_64 language packs 68.3.0esr
68.3.0esr?
Thanks, I removed the "68.3…
Thanks, I removed the "68.3.0esr" from this line.
Are the alpha releases…
Are the alpha releases generally more or less safe than the current release?
The alpha releases include…
The alpha releases include new changes that have been less tested. Those changes are usually improvements, but they can sometime cause unexpected issues.
In case of critical security issue, we fix the stable release in priority.
Also, there are many stable release users, but only a small number of alpha users. So you are part of a larger group when using the stable release.
If security and anonymity is critical to you, you should stay on the stable release. If you want to see the new changes in advance, and help test them, you should use the alpha.
Does anyone else notice that…
Does anyone else notice that seemingly NoScript releases its new version shortly after the TorBrowser comes out?
Knowing that the TB users will get this update directly from the 3rd party (George) and automatically - without the Tor developer review process - is a concern.
Hope I'm wrong, but it looks like NoScript likes immediately overwriting some anonymity sanitizing that the Tor people configure in NoScript that ships in the TB bundle. Anyone to review?
Even if not, this fore-trusted add-on updating for such a critical plug-in seems to be a security loophole.
Consider disabling the No-Script auto-updating (just release new TB with the updated NoScript). Or make replacing it with an in-house solution a higher priority?
I don't think noscript is…
I don't think noscript is overwriting some anonymity sanitizing. But it is true that it could, and we are considering disabling automatic noscript updates. We have this ticket on this topic:
https://trac.torproject.org/projects/tor/ticket/10498
It's great to see someone…
It's great to see someone else has reopened this issue, but...
This ticket has been open for 6 years!!?
Even the slightest chance of a subversion - is not that kind of critical?
Hope the programmers out there get a signal of urgency and step out to help.
Thanks to all who can.
I want to access TOR browser.
I want to access TOR browser.
You can download it from…
You can download it from https://www.torproject.org/download/
I wanna join the dark web
I wanna join the dark web
Hello. Tor community must…
Hello. Tor community must fight against anti-privacy proposal from Chromium. They want to kill all console browsers.
https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/-2JIRN…
This is pro-privacy proposal…
This is pro-privacy proposal:
Intent to Deprecate and Freeze: The User-Agent string
Summary
We want to freeze and unify (but not remove) the User Agent string in HTTP requests as well as in `navigator.userAgent`
Motivation
The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.
This is a sly lie. This is…
This is a sly lie. This is anti-privacy proposal.
You can see draft. Now you can't easily spoof user-agent header.
https://wicg.github.io/ua-client-hints/
Keep in mind tor browser developers can't spoof user agent in javascript from 8.0.
Why can't I see my answer on…
Why can't I see my answer on this post?
Comments are moderated, so…
Comments are moderated, so sometimes it can take time for them to be visible. See https://trac.torproject.org/projects/tor/wiki/doc/community/blog-commen…
When I installed Tor, at the…
When I installed Tor, at the beginning the last hop of the e-mail rout was:
WhoIs 81.17.27.133? MailHops API Info Location: TZ: Europe/Zurich, , Switzerland Host:
now is mysteriously changed compromising the system because it appears:
WhoIs 109.70.100.20? MailHops API Info Location: Vienna, Austria, Austria Host: tor-exit-anonymizer.appliedprivacy.net
Do you have any advice to restore the previous settings, please?
What do you mean by "email…
What do you mean by "email rout"?
Ich kann machen was ich will…
Ich kann machen was ich will es gibt keine Verbindung zum möglichen Horst auch alle Kontakte zur Webseite sind unterbrochen und werden mit unsicher und veraltete Sicherheitsbestimmungen geblockt!
keine Verbindung mehr…
Keine Verbindung mehr möglich alles wird mit veraltete Sicherheits Bestimmumgen begründet
Keine Verbindung von einen…
Keine Verbindung von einen Tag auf den anderen hier aus deutschland mehr möglich möglich alle Möglichkeiten wurden ausgeschöpft
links not working correctly …
links not working correctly
.onion links sometimes don't work. It's like refreshing the page but it works the second time.
and please add more video file types. Some videos does not load when I try to.
Could you give examples of…
Could you give examples of onions and videos that aren't working so they could test them?
When will WebAssembly arrive…
When will WebAssembly arrive in Tor Browser?
It is currently enabled in…
It is currently enabled in the standard level in the alpha.
After enough testing in the alpha, we will probably backport it to the stable branch at some point. This is the ticket about this:
https://trac.torproject.org/projects/tor/ticket/21549
Thanks, good to know. I need…
Thanks, good to know. I need it for a web application of mine.
Why in china i can not use…
Why in china i can not use TOR even my IP in japan?
Are you using bridges? Try …
Are you using bridges? Try "meek" first.
https://support.torproject.org/zh-CN/connecting/
https://support.torproject.org/zh-CN/censorship/
https://support.torproject.org/zh-CN/gettor/
> even my IP in japan?
What do you mean?
I hv been using the 9.04 and…
I hv been using the 9.04 and the alpha build for pc.
Before the update to 9.04, TOR Network work really fast from Indonesia using obs4 or meek.
But now after 9.04 update, the network become so slow. Loading a search result from DDG took about 3min.
I try using meek and it fail to connect. When I dont use bridge, it also become more slow. Checking from the log, I just aware Indonesia only have 3 to 4 bridge available.
In the alpha build, the snowflake bridge also failed to connect.
When I try android version, it also took same response.Trying different website and it also slow.
Now back to pc version:
Looking in the hop list, I aware that my final hop always been changing itself every 4sec.
Something seems wrong in bridge network of TOR. Some website also ask my age, seems like the cookies never saved.
I use requested bridge from…
I use requested bridge from TOR. Allow firewall & turn off controlled access folder.
But TOR still slow loading media (pictures and video).
It even slow loading media from TORproject.org.
The only it fast loading image is from duckduckgo.
> Update OpenPGP keyring …
> Update OpenPGP keyring
What does this mean exactly? Will your keys I saved no longer verify your files I download? Do I have to accept the key from "--locate-keys" as the only source and can't corroborate it?
The Tor Browser build…
The Tor Browser build process involves downloading components from various places, which we verify using gpg. This line in the changelog is about updating one the gpg keyring we use for that. Actually I think it should have been in the "Build System" part.
First, THANKS for all your…
First, THANKS for all your work TBB Developers!!!
Clicking on the (i) Icon next to the URL bar I can't see the circuits anymore. Why is that?
All I see is "Connection" and "Permissions" ....
Tor Browser is tor-browser-linux64-9.5a4_en-US.tar.xz in Whonix-Workstation.
Did this work in the past? I…
Did this work in the past? I think that the circuits view is disabled in Whonix and maybe has always been.
I'm sorry I didn't get back…
I'm sorry I didn't get back to you sooner.
Your are right! Tested TBB (9.0.4 and 9.5a4) on my "normal" Fedora Workstation (non Whonix) - and it works.
It's the first time I gave Whonix a try - and and most likely it has always been so one cannot see the circuits.
Thanks for your anwer! :-)
I want orfox
I want orfox
Orfox has been replaced by…
Orfox has been replaced by Tor Browser for android.
Thank you for the privacy…
Thank you for the privacy sweeper. That is exactly what I often use.
The "security level" shield has practically seen only three alternatives to choose from. Why could it not be a drop down menu? Then I could get through with two clicks instead of five now.
The reason to have the…
The reason to have the security level in the preferences pane is to reinforce the idea that it is being applied to the whole session and not just to a particular tab or window. A drop down menu could give the impression that it applies only to the current tab or window.
> idea that it is being…
> idea that it is being applied to the whole
> session and not just to a particular tab or
> window
You are right. The basic options of TorBrowser must meet the needs of very low-level-skilled user of tor.
What if the drop down menu text has a warning like
– this setting affect ALL tabs and running windows
Basically each user has to learn that information only once so the first time they use this drop down they must “qualify” (accept the above rule) or something.
Tor is vulnerable to css…
Tor is vulnerable to css exfil vulnerability
Do you have any detail? See…
Do you have any detail?
See also our contact page about how you can report security issues:
https://www.torproject.org/contact/
Eu gostaria de navegar neste…
Eu gostaria de navegar neste navegado
hi thank you for tor project…
hi thank you for tor project and your hard work but i wish you add tor translate is like google translate really it helps a lot thank you
On Android 8.1 custom…
On Android 8.1 custom pluggable transports dont work at all, only the built - in ones work.
I can only connect to normal custom bridges.
It stucks at 10%, tls handshake cannot be completed for some reason.
I have the same problem even if I connect first to a VPN and then to TOR.
I dont have that problem if I use TOR from Linux in the same router.
Also I dont use any firewall on my android and the device is not rooted.
We have this ticket for this…
We have this ticket for this issue:
https://trac.torproject.org/projects/tor/ticket/30767
It should be fixed in the next alpha release.
It would be very helpful if…
It would be very helpful if an option to request dekstop site by default existed on android.
Enabling dekstop site reduces fingerprinting with javascript disabled.
On Android if I disable…
On Android if I disable cookies the are still enabled; I have to enable and re-disable them in order to be disabled every time I open Tor Browser.
Cookies are automatically…
Cookies are automatically cleaned when selecting new identity, or restarting the browser. But disabling cookies completely will make your fingerprint different from most people, so it is not a good idea.
Hello everyone, release 9.0…
Hello everyone, release 9.0.4 ko.
In one tab, https://www…
In one tab, https:// www . sammobile. com/samsung gives:
but it opens in another tab!
тор это здорово.
тор это здорово.
hey hru
the best