New Release: Tor Browser 9.5a5

by sysrqb | February 14, 2020

Tor Browser 9.5a5 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

This release updates Firefox to 68.5.0esr, NoScript to 11.0.13, and on desktop, Tor to 0.4.3.2-alpha. We also added a new default bridge.

The full changelog since Tor Browser 9.5a4 is:

  • All Platforms
    • Update Firefox to 68.5.0esr
    • Bump NoScript to 11.0.13
    • Translations update
    • Bug 30237: Control port module improvements for v3 client authentication
    • Bug 32891: Add new default bridges
    • Bug 31395: Remove inline script in aboutTor.xhtml
    • Bug 27268: Preferences clean-up in Torbutton code
    • Bug 32470: Backport fix for bug 1590538
    • Bug 32414: Make Services.search.addEngine obey FPI
    • Bug 32948: Make referer behavior consistent regardless of private browing mode status
    • Bug 22919: Improve the random number generator for the boundaries in multipart/form-data
  • Android
    • Bug 30767: Custom obfs4 bridge does not work on Tor Browser for Android
  • Windows + OS X + Linux
    • Update Tor to 0.4.3.2-alpha
    • Update Tor Launcher to 0.2.21.1
      • Translations update
      • Bug 30237: Add v3 onion services client authentication prompt
    • Bug 32870: Update version of pion-webrtc
    • Bug 32767: Remove Disconnect search
    • Bug 30237: Add v3 onion services client authentication prompt
  • Build System
    • Linux
    • OS X
      • Bug 33200: Fix permissions on bookmarks.html

Comments

Please note that the comment area below has been archived.

February 14, 2020

Permalink

Refreshing about:tor gives:
[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.removeSheetUsingURIString]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource://gre/modules/ExtensionCommon.jsm :: runSafeSyncWithoutClone :: line 75" data: no] 2 ExtensionCommon.jsm:75:12
runSafeSyncWithoutClone resource://gre/modules/ExtensionCommon.jsm:75
cleanup resource://gre/modules/ExtensionContent.jsm:403
close resource://gre/modules/ExtensionContent.jsm:913
destroyed resource://gre/modules/ExtensionContent.jsm:998
observe resource://gre/modules/ExtensionContent.jsm:1016

February 15, 2020

In reply to sysrqb

Permalink

Indeed.

February 14, 2020

Permalink

> Bug 461204: Improve the random number generator for the boundaries in multipart/form-data
Hey, it was fixed for Firefox 74 only. You shouldn't point to Mozilla's bugs, point to your backporting ticket in Trac instead.

February 15, 2020

Permalink

addons.xpi WARN Error parsing extensions state: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [amIAddonManagerStartup.readStartupData]" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: loadExtensionState :: line 1403" data: no] Stack trace: loadExtensionState()@resource://gre/modules/addons/XPIProvider.jsm:1403
scanForChanges()@resource://gre/modules/addons/XPIProvider.jsm:1439
checkForChanges()@resource://gre/modules/addons/XPIProvider.jsm:2905
startup()@resource://gre/modules/addons/XPIProvider.jsm:2429
callProvider()@resource://gre/modules/AddonManager.jsm:215
_startProvider()@resource://gre/modules/AddonManager.jsm:651
startup()@resource://gre/modules/AddonManager.jsm:897
startup()@resource://gre/modules/AddonManager.jsm:3493
observe()@resource://gre/modules/addonManager.js:70

February 17, 2020

In reply to boklm

Permalink

All of them. Looks like they shouldn't have been updated, but somehow Firefox decided the new versions were not the same as old ones and disabled the old versions.

February 17, 2020

In reply to boklm

Permalink

In about:support Extensions table, all extensions disappeared, except HTTPS Everywhere and NoScript.

February 17, 2020

Permalink

When I try snowflake bridge in China, the connection to Tor network is stuck for the following reasons:
2/18/20, 02:41:46.904 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2/18/20, 02:41:49.606 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2/18/20, 02:41:49.606 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2/18/20, 02:41:49.606 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2/18/20, 02:41:49.607 [NOTICE] Opening Socks listener on 127.0.0.1:9150
2/18/20, 02:41:49.607 [NOTICE] Opened Socks listener on 127.0.0.1:9150
2/18/20, 02:41:50.870 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
2/18/20, 02:41:50.870 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
2/18/20, 02:41:51.395 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
2/18/20, 02:42:21.400 [WARN] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (DONE; DONE; count 1; recommendation warn; host 2B280B23E1107BB62ABFC40DDCC8824814F80A72 at 0.0.3.0:1)
2/18/20, 02:42:21.401 [WARN] 1 connections have failed:
2/18/20, 02:42:21.401 [WARN] 1 connections died in state handshaking (TLS) with SSL state SSLv3/TLS write client hello in HANDSHAKE
2/18/20, 02:42:21.404 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
2/18/20, 02:42:21.404 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2/18/20, 02:42:21.406 [WARN] Pluggable Transport process terminated with status code 0

Thanks for trying Snowflake. Unfortunately it is not very reliable yet, so you may have to try several times before you get a connection. If you see it get to 20% or higher, it means you got a Snowflake proxy.

If you want to try an experimental build that is supposed to be more reliable, try the experimental "Turbo Tunnel" Snowflake packages from https://lists.torproject.org/pipermail/anti-censorship-team/2020-Februa…. See https://bugs.torproject.org/33336#comment:11 for a summary of what you can expect. These packages are only experimental and they will stop working after 2020-04-15, but we would like to know if you have any feedback.

February 18, 2020

Permalink

When tabs are opened on Tor browser and we switch to another application on the phone and later come back to Tor browser, we find the tabs closed and are forced to restart the Tor browser.
Android 10, oneplus7

Tor Browser doesn't come with uBlock, and installing it isn't recommended. Tails developers installed uBlock in Tails.
https://support.torproject.org/tbb/tbb-14/
https://tb-manual.torproject.org/plugins/

Advanced users can put back NoScript's icon by opening the 3-bar menu > Customize > drag the icon to the toolbar. New users should not be invited to casually change NoScript unless they understand what it does and accept the warning that changes to it make their browser fingerprint stand out.

February 22, 2020

Permalink

The 2 latest updates of the Tor browser is really driving youtube (spyygle) crazy, or actually it is driving me crazy aswel because it complains waay too much about high traffic. Have to restart the entire browser like every 30 min. Really annoying since it is not enough to just renew the circuit like you could on the earlier versions. Why is that?

February 23, 2020

Permalink

The following comment is relevant to

https://blog.torproject.org/tor-village-iff-2020-call-proposals

[Modertor: that thread is closed to comments--- why?]

> Here are several ideas we're interested for you to explore, but do not feel limited to these:

I would like to reiterate the suggestion that one item of low-hanging fruit--- a problem hard enough to be challenging but not so hard as to be impossible--- is the issue of stylometry. That is, intelligence agencies and other adversaries (e.g. corporate intelligence units and companies such as Tiger Swan) are likely to be actively engaged in using stylistic and linguistic clues to deanonymize posters of dissident opinion (such as the this blog comment). It would not be very hard to provide a tool which "feels" like gedit and which suggests common synonyms for dangerously rare words in a draft post. It would also be not too hard to write tools which parse grammar and help a writer to avoid distinctive grammatical or syntactical constructions. For those interested in turning machine learning techniques back upon our oppressors, a more challenging project would be to use machine learning to try to defend against various attacks on semantic characteristics. Such a tool would be invaluable not only to Tor users seeking to protect their identity in posted political essays, but also to ordinary citizens. For example:

o women who wish to disguise their gender against gender-identification analysis (very common)

o citizens who wish to defend themselves against surveillance tools which attempt to remotely diagnose mental conditions such as depression or schizophrenia, more more controversially, to predict the alleged likelihood of the future commission of violent acts (note that countries such as China and Cuba are already incarcerating persons on the basis of predictive behavioral analysis software, including code often written in the USA).

February 23, 2020

Permalink

The following comment is relevant to

https://blog.torproject.org/tor-village-iff-2020-call-proposals

[Moderator: that thread is closed to comments--- why?]

> Good practices for journalists when using Tails

IMHO, TP is being insufficiently ambitious here. The fact is, all manner of NGOs, unions, political parties, social service agencies and other local government agencies, as well as doctors, lawyers, and private citizens who happen to know a telecom engineer, nuclear power reactor engineer, DEA agent, etc., are increasingly being actively targeted by companies small and large which belong to the rapidly growing international cyberwar-as-a-service industry, whose clients include such dangerous entities as governments and drug cartels.

It should surely be obvious that this already enormous and deeply intrusive industry is already feeling a growing hunger for new targets to feed new markets for state-sponsored and corporate-sponsored APT type malware, electronic emanation exploitation (Tempest), and all manner of close access devices, including but not limited to:

o overt and covert WiFi mesh networks including "smart meter" meshes which serve the dual purpose of real-time WiFi device inventory and geolocation tracking at meter scale resolutions (or finer),
o surveillance drones ranging from enormous Global Hawk drones to butterfly sized microdrones,
o surveillance by swarms of low Earth orbiting microsatellites,
o overt bodycams and "lifelogging" devices,
o covert button cams, pencams, USBcams, clockcams, smoke-alarmcams, etc.,
o surveillance cameras disguised as "urban infrastructure" such as day-night detectors (mounted on top of streetlamps), splices on overhead power lines, rodent traps, telecom cabinets, trashbins, traffic cones, tombstones, anti-theft cameras in high-end SUVs, emergency vehicle lights (often mounted on vehicles such as trucks picking up portable traffic signs), etc,
o close access WiFi mesh penetration,
o close access gear targeting documents printed on laser printers, LCD displays, keyboards, etc,
o gas-powered silent drills for inserting spike microphones from an adjacent office or apartment or hotel room,
o through-wall radars,
o "in plain view" fiber optic cable tapping (in US cities, no-one checks up on mystery crews accessing manholes and messing with critical communications infrastructure).

It is crucial to understand not only that such equipment has long been made available to all manner of federal agencies as well as major financial institutions, but that this gear is rapidly becoming widely available to state, county, and municipal police agencies, as well as corporations and a rapidly expanding and unregulated roster of espionage-as-a-service companies which are increasingly marketing their services to employers, landlords, social service agencies, schools (K12 through research university level), and union-busting corporate units.

Obviously, the scope of the close access surveillance threat is far too big for TP to tackle alone, but it is increasingly critical that privacy researchers be mindful of how defensive software such as Tor products can interact with the wider infrastructure in ways which can endanger users.

Note that Arstechnica has been publishing a series by Jim Salter which can be useful in understanding modern wireless infrastructure:

arstechnica.com
Ten rules for dating my teenage daughter placing your Wi-Fi access points
Wi-Fi is like real estate—the secret is location, location, location.
Jim Salter
23 Feb 2020

(Needless to say, while in this piece Salter is trying to help readers increase the functionality of their personal home WiFi mesh, we can exploit the offered clues to try to make it harder for spies just outside our homes and offices to use close-access technologies to harm us.)

February 23, 2020

Permalink

The following comment is relevant to

https://blog.torproject.org/tor-village-iff-2020-call-proposals

[Moderator: that thread is closed to comments--- why?]

> Here are several ideas we're interested for you to explore, but do not feel limited to these

I request that Tor Project encourage participants to engage in a wide-ranging, honest, and thorough discussion of two vexing problems which so far TP has tended to ignore--- which could have tragic consequences for Tor users all over the world. To wit:

1. What are the most likely USG backdoors in the Tor network and how can TP keep them out? Any discussion cannot be limited to source code published by TP itself, because history and common sense (technically speaking) both strongly suggest that NSA is much more likely to mess with "upstream" code and with critical infrastructure such as pseudorandom number generators and the Directory Authorities than to try to plant obvious backdoors in published Tor source code.

2. What can TP do to make it hard for intelligence agencies (particularly NSA but not limited to NSA) to exploit the volunteer network of Tor nodes by fielding large possibly undeclared families of high bandwidth entry and exit nodes which covertly share datastreams? One tiny, easy, and inexpensive step TP would take would be to restart the invaluable service formerly provided by torstatus.blutmagie.de, and to provide more "official" data to nusenu.

Concerning the suggestion that the Tor community can and must learn from the history of USG cryptographic backdoors, a notable story recently published by the Washington Post is based upon Greg Miller's access to a top secret CIA history of the longest running well known backdoor scheme in NSA history, the crippling of commercial cipher machines sold by CryptoAG and its successor companies:

https://www.washingtonpost.com/graphics/2020/world/national-security/ci…
‘The intelligence coup of the century’
For decades, the CIA read the encrypted communications of allies and adversaries.
Greg Miller
11 Feb 2020

Most privacy advocates will recall how the publication of the landmark history of cryptography by David Kahn, The Codebreakers, MacMillan, 1967, was almost stopped by NSA; fortunately, Kahn's publisher courageously fought back against DOJ threats and the book was published. The book later became a major inspiration for Whitfield Diffie during the long search for what became the first openly published and workable public/private keypair exchange scheme. On p. 432 of the first edition, Kahn, who interviewed Boris Hagelin for his book, provided a strong hint that he knew something was up with CryptoAG: "Hagelin does not attempt to cryptanalyze his own machine ciphers, however, probably because he fully understands the principles of solution and realizes that the [commercial] success of his machines depends upon proper usage". Because the overall lesson of Kahn's history is to trust nothing and check everything, continuously, this statement whatever makes no sense in the context of the rest of the book, unless one interprets it as a cryptic hint that CryptoAG machines were not secure. The apparent hint was immediately noticed by alert privacy advocates, but was strangely overlooked by several dozen governments which should have known better.

Lincoln once remarked that a government cannot fool all of the people all of the time, but perhaps we should not be surprised by evidence that USG found it easy to fool virtually all of the governments (of other nations) for so many decades, because we have so much evidence supporting the view that governments are invariably not only far more evil but also far more foolish than The People they rule.

It is notable that as a teenager, Kahn was a neighbor of William and Elizebeth Friedman, who encouraged his interest in cryptology. After WWII, the relationship between the Friedmans and NSA quickly soured, precisely over the issue of NSA continuing to spy on allies and on US citizens during peacetime, and NSA came to regard the USG's most accomplished former cryptanalyst with deep suspicion. When NSA security agents raided the Friedman's home after NSA absurdly retroactively classified Friedman's landmark Riverbank publications (which has introduced the application of statistics to cryptanalysis), many decades after their pre WWI private publication--- Elizebeth politely served tea to the intruders while William sat in an armchair inscrutably smoking his pipe--- the NSA agents were unaware that WFF had already given his personal copies to his bright teenaged neighbor (David Kahn). WFF was also a personal friend of Boris Hagelin, which played a role in ensuring that CryptoAG continued to sell backdoored machines to targets of the USIC communications intelligence intercept programs (the targets were pretty much everyone but the FVEY members, which is odd because German and Swiss intelligence officials were aware of the scheme; it is notable in light of current events that NATO partners Turkey, Greece and Italy were major NSA targets throughout NSA's existence). Indeed, AFAIK WFF gave Kahn a letter of introduction to Hagelin which resulted in the interview reported in the 1967 book.

As a long-time and loyal Tor user/supporter, I am concerned that TP has for so many years ignored requests to direct some mental energy toward the two problems cited above.

A closely related question: what can TP do to mobilize its US userbase to form a movement of grass-roots opposition to calls from FBI for mandating backdoors in all softwares which use encryption? C.f. FBI's "Going Dark" FUD campaign, which has been furiously promoted by A.G. Barr, Sessions, and Holder--- to mention just the three most recent DOJ officials who have made themselves the avowed enemies of the Tor community.

February 23, 2020

Permalink

The following comment is relevant to

https://blog.torproject.org/tor-village-iff-2020-call-proposals

[Moderator: why is that thread closed to comments?]

Here is a thoughtful piece which makes a very important point which can help us in raising awareness of the dangers of the Surveillance State:

theatlantic.com
How the Coronavirus Revealed Authoritarianism’s Fatal Flaw
China’s use of surveillance and censorship makes it harder for Xi Jinping to know what’s going on in his own country.
Zeynep Tufekci
22 Feb 2020

Users have known why many years before 2017, when that article was written. It should go without saying, but captchas are not sent to your normal browser if you use Tor. Captchas from Google reacting to traffic from tor are in Tor browser only. Google and other trackers you visit on Tor aren't able to learn about your non-Tor browsers unless you tell Google yourself or unless there is a security hole in Tor browser.

From the old FAQs that were moved in 2019:
https://2019.www.torproject.org/docs/faq.html.en#GoogleCAPTCHA
https://2019.www.torproject.org/docs/faq.html.en#GmailWarning
https://2019.www.torproject.org/docs/faq.html.en#Torisdifferent
https://2019.www.torproject.org/docs/faq-abuse.html.en#IrcBans
Or see the new and up-to-date Support site.

A basic understanding of the Tor network also implies the answer: The traffic they see from exit relays is like that of open proxies. Traffic patterns sometimes trigger a site's defenses.

February 29, 2020

Permalink

YouTube Embedded Videos!

Hi I'm having problems getting videos to play in embedded mode. It seems to work sometimes but a lot of times it refuses or it stop working a while later. How can avoid this to happen when embedding videos on other websites than youtube.com?

March 01, 2020

Permalink

Just a heads up it seems that Ctrl + Shift + B ins't working now. It doesn't open the bookmarks menu. Also clicking Show All Bookmarks at the bottom of the bookmarks menu doesn't do anything either.

Running version 9.0.5 (based on Mozilla Firefox 68.5.0esr) (64-bit) on windows.