New Release: Tor Browser 9.0a1

by boklm | May 22, 2019

Tor Browser 9.0a1 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

Tor Browser 9.0a1 is the first release in the 9.0 alpha series. It contains all the improvements and fixes from the 8.5 release as well as other new features:

  • Tor Launcher is getting tighter integrated into the browser as a preparation step for the switch to Firefox 68 ESR. That results in it not showing up anymore on the about:addons page while still being available (and we don't need to make a code-signing exception for it either anymore, which is nice). See the underlying proposal for this decision for full details.
  • We backported Mozilla's Letterboxing feature which allows us to finally tackle the problem of not properly rounded screen dimensions in case users start to maximize or otherwise resize the browser window. Letterboxing is off by default for now, although we plan to enabled it in one of the upcoming alpha releases. If you want to check it out and report issues please add the privacy.resistFingerprinting.letterboxing preference on about:config and set it to true. Many thanks to Tom Ritter and anyone else at Mozilla who has been working on that problem and designing the current approach.

The full changelog since Tor Browser 8.5a12 is:

  • All platforms
    • Update Firefox to 60.7.0esr
    • Update Torbutton to 2.1.9
      • Bug 30069: Use slider and about:tor localizations
      • Bug 30115+27449+25145: Map browser + domain -> credentials to fix UI issues
      • Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate
      • Bug 30425: Revert armagadd-on-2.0 changes
      • Bug 30497: Add Donate link to about:tor
      • Bug 30464: Add WebGL to safer descriptions
      • Translations update
    • Update HTTPS Everywhere to 2019.5.6.1
    • Bug 24622: Proper first-party isolation of s3.amazonaws.com
    • Bug 30425: Revert armagadd-on-2.0 changes
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.19
      • Bug 28044: Integrate Tor Launcher into tor-browser
      • Bug 29627: Moat: add support for obfsproxy's meek_lite
      • Bug 30139: Remove FTE bits
      • Translations update
    • Bug 28044: Integrate Tor Launcher into tor-browser
    • Bug 30372: Backport letterboxing (bug 1538130)
    • Bug 28369: Stop shipping pingsender executable
    • Bug 30457: Remove defunct default bridges
    • Bug 29045: Ensure that tor does not start up in dormant mode
    • Bug 29641: Try to connect over IPv6 if needed
  • Windows
  • OS X
    • Bug 30241: Bump snowflake version to d11e55aabe
  • Linux
  • Android
    • Bug 29982: Force single-pane UI on Tor Preferences
    • Bug 30086: Prevent Sync-related crashes on Android
    • Bug 30214: Kill background thread when Activity is null
    • Bug 30239: Render Fragments after crash
    • Bug 30136: Use 'Tor Browser' as brand name on mobile, too
    • Bug 30069: Use slider and about:tor localizations
    • Bug 30371: Stop hard-coding the content provider name in tor-android-service
    • Bug 30162: Tor Browser bootstrap process got stuck after interrupting it
    • Bug 30166: If specified, only use custom bridges for connecting
    • Bug 30518: Add SocksPort flags for consistency across platforms
    • Bug 30284: Fix broken start-up on KitKat devices
    • Bug 30489: Remove Unused Resources from tor-android-service
  • Build System
    • Windows
      • Bug 29307: Use Stretch for cross-compiling for Windows
      • Bug 29731: Remove faketime for Windows builds
    • Linux
      • Bug 30377: Remove selfrando from our build system
      • Bug 30448: Strip Browser/gtk2/libmozgtk.so
    • Android
      • Bug 29981: Add option to build without using containers
      • Bug 30169: Switch to our tor-android-service repo
      • Bug 30404: Remove Orbot Project
      • Bug 30280: Wrong SHA-256 sum for j2objc-annotations-1.1.jar

Comments

Please note that the comment area below has been archived.

May 22, 2019

Permalink

So much work! Thank you so much to the Tor Browser team + UX team (antonela o/) and also the hard working people at Mozilla (especially those contributing to antifingerprinting and 1stpartyisolation)!

The "add" is key. To quote from the blog post, "… add the privacy.resistFingerprinting.letterboxing preference …". Try right click in the list, "new" and then "boolean".

May 22, 2019

Permalink

Integrate Tor Launcher into tor-browser

I make I2p browser from Tor Browser. How me off Tor Launcher and Tor Button?

May 23, 2019

In reply to gk

Permalink

Yes, that's what I meant. So far so good. Finally, I do not even have the feeling that I am browsing anonymously :-) How can I report a problem if I discover it?

May 22, 2019

Permalink

Does this update fix the ddos exploitation?Tor is unsafe until this is fixed. How could you tell people they are safe with this bug. You all should be ashamed . Please fix this problem NOW or discontinue tor

Entitled much?

How about doing some basic reading on the issue before commenting?

You're commenting on a blog post about the Tor Browser release, but the issue needs to be fixed within Tor, so your comment is completely displaced here. So is your wording.

It's also not some trivial bug which can be fixed on the fly because you told so, solving this will need fundamental changes within the tor protocol itself, which naturally needs to take the possible consequences in account.

And yes, they're working on it. Parent ticket here: https://trac.torproject.org/projects/tor/ticket/29999

It's just annoying to have every single Tor Browser release announcement spammed with this shit - even more with that attitude dear..

May 22, 2019

Permalink

No one cares about these little fucking fixes. People are being Deanonomized by kid hackers in 10 minutes with little resource using tor . PLEASE STOP TELLING PEOPLE THEY ARE SAFE OR FIX THE FUCKING CRYPTO BUG that allow children to bring down government sites with ease? How can you even allow people to download this software

May 22, 2019

Permalink

Selfrando was a big news. No hope for this protection on Linux?

We don't plan to move forward with Selfrando deployment as it is not much more work for a browser attacker to bypass it [...] All in all I think the gains for our alphas are not worth the effort.
(from https://trac.torproject.org/projects/tor/ticket/30377 above)

That ticket states one opinion and no team discussion. Was this a well-researched conclusion?

Not sure what you mean with well-researched but it took into account the issues we were facing with selfrando + possible protections we gain from it + investigations done by external parties (Mozilla).

May 22, 2019

Permalink

How do you invert the colors on Tor Browser? I tried changing the text and background values here, but the background is still a blinding white.

Preferences | Fonts & Colors | Colors | Text and Background

Would changing these values make it easier for trackers to id my browser?

Unfortunately Overrride | Always didn't work for me. I found a comment elsewhere that said changing the background color doesn't work on some operating systems. Compton was suggested so I used that.

May 22, 2019

Permalink

So many of us are waiting to get a standalone APK for Tor Browser for Adnroid without Orbot? Please make it happen soon.

May 24, 2019

In reply to gk

Permalink

I guess you misunderstood or maybe I did. Could you please take a look again at this Reddit post?

I tested the 8.5 version on Android and it starts with another instance of Orbot in the background just like it had been since last year release. So please forgive me to ask this again, but how this release gives us a separate Tor Browser APK that can work with The Guardian Project's standalone Orbot APK?

Please shade some lights.

The only separate Tow Browser APK I found to be working is 60.2.1 version of Tor Browser for Android (Alpha), which was released last year before new release got merged with Orbot.

May 24, 2019

In reply to sysrqb

Permalink

Thank you for that info. But isn't that request something a bit different than requested here? There, the user does not want to use Orbot while here it's the main requirement along with a separate Tor Browser apk.

Earlier I thought this request to be solved sooner since @gk looked promising to push it in the upcoming release. Biggest disadvantage of current release is losing Android's Always-on VPN function. Which prevents data leaks and forces all apps to pass through Tor.

I am hopeful that Tor devs will come out with some solution soon.

Ref.: https://vbdvexcmqi.oedi.net/comment/281763#comment-281763

If I understand you correctly, you either want a Tor Browser APK that doesn't contain the tor binary, or you want an option to disable Tor Browser Bundle's tor binary and tell Tor Browser to use Orbot's tor binary. Orbot basically is the tor binary packaged by Guardian Project. If the first one is what you meant, then gk answered your question. "If you mean "no included Tor [binary]" that won't happen and is done so by design." If the second one is what you meant, then the ticket sysrqb pasted is a bit unclear about which Orbot-- Tor Browser Bundle's at the time or Guardian Project's --the ticket wants to disable. The ticket says "built-in Orbot" which, if it means TBB's, is the second of my two guesses about what you meant. If the ticket means Guardian Project's, then you should create a new ticket.

Names need clarity if there are multiple meanings. Tor (capital T), tor (lowercase t), Tor Browser, Tor Browser Bundle, Tor Project, and which Orbot.
https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#UsageofTora…
https://jqlsbiwihs.oedi.net/misc/glossary/#tor-/-tor-network/-core-t…

Back then it was Orbot, I'll adjust the ticket title. What is meant is making an option to use Orbot (or whatever provides you with a non-Tor Browser-tor) instead of the tor we ship.

May 23, 2019

Permalink

I just updated to version 9.0a 1, everything`s fine. But now I can`t open the stable version any more. Trying to do this I get the following message:

Error: proxy server denies connection
Firefox has been configured to use a proxy server that rejects the connection.

What can I do to be able to use both the stable version and the alpha version?

May 23, 2019

In reply to boklm

Permalink

I didn't express myself correctly: After updating the alpha version I can't use the stable version even after closing the first one. The above message will be displayed.

May 24, 2019

In reply to gk

Permalink

I am using macOS Mojave 10.14.5 and have both versions installed in my MacBook Pro application folder.

About 2 years ago the described problem occurred already once. At that time, the solution was to completely delete and reinstall both versions of TorBrowrser.

Where do you have both versions installed, too? The problem is probably that you just installed them as usual into /Applications. But that very likely breaks as now the first Tor Browser is getting installed there and the user profile is created in /Application\ Support/TorBrowser-Data/. If you install the second one (say, the alpha) at the same location the user profile does not get overwritten and you are using the one for Tor Browser stable which could cause all sorts of issues.

May 27, 2019

In reply to gk

Permalink

I decided to only use the stable version in the future because I don't have the time to get involved with this problem. I have removed the alpha version, since then there are no more problems.

Thanks for your efforts.

May 23, 2019

Permalink

A lot of changes for Android, and there's no update on Google Play.
There's a new stable Tor release available, but you shipped old 0.4.0.4-rc.
Something is definitely wrong with your Release Management.

Thanks for the report. I see 9.0a1 on Google Play. Does it show up for you now? Yes, we could have shipped 0.4.0.5. However, this is an alpha channel and 0.4.0.4-rc was the last Tor alpha release. Thus, you could argue we are good here as well. Anyway, a new alpha got released two days ago and we will pick that one up in the next point release.

May 24, 2019

In reply to gk

Permalink

Now yes. But where is the link to it in this blog post and in the download page?
No, you are not good with testing new Tor features using rc when stable is available.
And it's not good to pick up 0.4.1.x Tor, when you are preparing to ship 0.4.0.x to stable.

The alpha is used for a bunch of purposes. One is to test the next Tor Browser stable, yes. But at the same time it is used for the network team to find client side bugs as good as possible which is why it is important to ship new Tor alphas in Tor Browser's alpha series to give them a wider testing.

May 23, 2019

Permalink

5/23/19, 17:38:45.720 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
5/23/19, 17:38:46.480 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay
5/23/19, 17:38:46.225 [NOTICE] Bootstrapped 15% (handshake_done): Handshake with a relay done
5/23/19, 17:38:46.227 [NOTICE] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
5/23/19, 17:38:46.230 [NOTICE] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
5/23/19, 17:38:46.232 [NOTICE] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
5/23/19, 17:38:52.746 [WARN] Problem bootstrapping. Stuck at 95% (circuit_create): Establishing a Tor circuit. (Network is unreachable [WSAENETUNREACH ]; NOROUTE; count 1; recommendation warn; host 9B24B2149631167704362E07356A9E9BFC1F0F05 at 2a01:4f9:2a:3d9:200::201:9001)
5/23/19, 17:38:52.758 [NOTICE] Bootstrapped 100% (done): Done
5/23/19, 17:38:52.761 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
5/23/19, 17:38:52.761 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
5/23/19, 17:38:52.761 [NOTICE] Delaying directory fetches: DisableNetwork is set.
WTF?

May 24, 2019

In reply to gk

Permalink

As it's written in the log, Tor Browser got stuck during boot and asked to reconfigure it. Then after pressing Connect, it worked as usual.

Seen same

5/31/19, 17:30:48.736 [WARN] Problem bootstrapping. Stuck at 30% (loading_status): Loading networkstatus consensus. (Network is unreachable; NOROUTE; count 2; recommendation warn; host B84F248233FEA90CAD439F292556A3139F6E1B82 at 2a00:1298:8011:212::164:9004)

Some reason it tries IPv6 address.

May 25, 2019

Permalink

  1. Tor WARN: Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (Network is unreachable [WSAENETUNREACH ]; NOROUTE; count 2; recommendation warn; host 9B24B2149631167704362E07356A9E9BFC1F0F05 at 2a01:4f9:2a:3d9:200::201:9001)<br />
  2. Tor WARN: 1 connections have failed:<br />
  3. Tor WARN: 1 connections died in state connect()ing with SSL state (No SSL object)

It looks like Tor tries IPv6 in IPv4 network...

May 26, 2019

Permalink

Certain web pages keep asking for HTML5 canvas access. How can one set the default to block?

May 27, 2019

Permalink

With every update, torbrowser "sucks" more - in particular memory and cpu. The new version on a 3,5GB-memory 64Bit machine is considerably slower than the 1 year old version was on my 1,5GB-32Bit machine.

Torbrowser wants to support activists around the world. What hardware do you think the majority of these activists have available? You think they're all equipped like Silicon Valley geeks? Even some of my friends in The North still run old 32Bit-Thinkpads for their political activism.

Frustrating by the way that the 32Bit-Linux version doesn't run (and seemingly isn't supposed to run) on a 64Bit machine.

A lightweight variant or a much lighter Torbrowser is urgently needed if Torbrowser is intended to be put to the uses it claims to be intended for!!!

Hello!

>> torbrowser "sucks" more - in particular memory and cpu.
Meanwhile I did not had observations of slowdowns of TBB, but I did not checked specially.
Have to say that mentioned by Mr. "exit" situation really may appear.
So I would like to prevent it.
Dear TBB-developpers! - Please keep the hand on the pulse!!!

>> Torbrowser wants to support activists around the world.
>> What hardware do you think the majority of these activists have available?
>> You think they're all equipped like Silicon Valley geeks?
>> Even some of my friends in The North still
>> run old 32Bit-Thinkpads for their political activism.

Absolutely.
Recently I saw discussion at https://www.opennet.ru/opennews/art.shtml?num=50638 - why Tails is not 32-bit. Like for me Tails-developers just cut their expanses (time, money,efforts, etc ) by dropping 32-bit users. Very sad.

June 01, 2019

Permalink

Developer! Hello! Now you have made the first final release of the program "Tor Browser" for android devices, and further develop this project, this is good. Very happy. You have developed the program "Tor" for os Wndows, linux ..
In this regard, the question;
Do you plan to develop a similar program "Tor" for android devices based on the program "Orbot"?

June 02, 2019

Permalink

08:32:55.251 Got a mutation for an unexpected actor: server1.conn1.child1/domnode63, please file a bug on bugzilla.mozilla.org! 1 inspector.js:307:11
08:32:55.252 console.trace(): 1 inspector.js:309
WalkerFront<.getMutations

How so? The amount of clicks you need for changes the level does not have changed (previously 2, now 2) and the amount of clicks you need to see on which level you are on has improved (previously 2, now 0).

June 04, 2019

Permalink

About Tor Browser dialog:
15:36:12.897 Invalid string label 1 (unknown)
and when pressing the button to update.

June 08, 2019

Permalink

Hello Tor developers & users!

How can I easily know and understand the differences
between the various Tor Browser (TB) versions
(for example current v8.0.9, v8.5.1 and v9.0a1)?

Which preferences and about:config settings values is common
and which is vary in all these TB variants?

Where can I read about this more, in clearly explained form?

(I'm unexperienced TB user, began using it this New Year.)

Thanks in advance.

(sorry for possible double posting - there was a browser glitch.)

There is no clear explanation on the exact differences between stable and alpha versions. You have to diff the respective components' source code. The alpha, in general, contains features and bug fixes that need a bit more testing time than what we already give them and/or those things that a basically too invasive for a stable series (like toolchain changes).