Tor Browser 9.0 is out with important changes
Tor Browser 9.0 has been released this week; it is the first version of Tor Browser that is based on Firefox 68 ESR (opposed to Firefox 60.x which previous versions of Tor Browser were based on).
The new version of Tor Browser is already available for download on the official project website at Tor Project. The browser is available for Windows, Linux and Macintosh computer systems as well as Android devices.
Existing users may update Tor Browser automatically or manually. A click on Menu > Help > About Tor Browser runs a manual check for updates within the browser's interface.
Tor Browser 9.0 loads the default New Tab Page on first start. There you find the "See what's new" link to display information about major changes in the new browser version.
The Onion Button is no longer available in Tor Browser 9.0. The team wanted to integrated Tor fully into the browser and added Tor Circuit information to the browser's i-icon in the URL bar.
A click on the icon displays the usual connection and permissions settings known from the Firefox web browser and Tor Circuit information that provides connection information.
There is also a new toolbar button called New Identity that allows users to reset the identity (which requires the restarting of the Tor browser). The feature is now easily accessible from within the Tor Browser interface.
The team has integrated Tor settings into the browser's preferences. Tor users may load about:preferences#tor directly in the browser's address bar to open the settings or go to Menu > Options > Tor manually.
Options to configure Bridges, proxy settings, and allowed ports are configurable on the page. All it takes is to check the main box to enable a preference and use the fields and menus to configure it. If the firewall is very restrictive, you may configure the browser to use ports 80 and 443 exclusively for connections as these are the most likely ports that are not blocked by the firewall.
The browser window is configured to use letterboxing by default. The technique adds white margins to the browser's frame to let users resize the browser window while still prevent fingerprinting using screen dimensions.
Tor users who dislike the feature can turn it off in the following way:
- Load privacy.resistFingerprinting.letterboxing in the browser's address bar.
- Set the preference to False.
Tor Browser 9.0 comes with support for two additional languages, Macedonian and Romanian, which brings the total number of supported languages to 32.
Interested users find the full changelog on the official Tor Project website.
Well, for the first time ever, my update has bricked Tor from loading….
The program can’t start because api-ms-win-crt-convert-I1-1-0.dll is missing from your computer. Try reinstalling the program to fix this problem.
:(
Will have to see what to do here!
Get the msvc runtime pack? https://tiny.cc/vcredist
Had a similar problem when I updated to TOR v.9.
Got something like “The application failed to start error 0x00000ba” when I tried to run TOR.
Installing KB2999226 fixed it.
Update for Universal C Runtime in Windows
https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows
Looks like the error I reported for Tor 9 was down to needing to re-install (vc_redist.x86) in my case, or x64.
Clearly something has changed on the Tor end.
This is the first time I’ve heard of the privacy.resistFingerprinting.letterboxing preference.
This also works in Firefox 70. Too bad that the border doesn’t use the background color of the existing webpage.
I found out you can change the background color with userchrome.css.
Here’s what I’m using:
stack.browserStack {background:#333}
@Martin Brinkmann:
Thanks, Martin! This was very helpful, and I’ll doubtless be referring back to it as the need arises. I’m “looking forward” to manually updating Tor Browser on my two Ubuntu-based Linux computers…
UPDATE: No multi-step manual updating is required in manually installed Tor Browser for Linux! Tor Browser’s one-click internal updating feature worked fine for me. (I’m still *so* glad I dumped that awful, *defective* Tor Browser package from the Ubuntu repo and replaced it with a manual install.)
Does this get rid entirely of the “don’t resize the window” rule ?
> Does this get rid entirely of the “don’t resize the window†rule?
No. But what is does do is ensure that the “inner window” is always rounded (basically 200px widths and 100px high, but it can step in 50px at lower resolutions).
Letterboxing now takes care of all the new window sizing errors
– when the bookmarks toolbar is shown on new windows the height is usually short 2 to 5 pixels, and can also be affected by theme density, and by non-builtin themes
– some linux desktop environments fail to round properly
– dpi or windows scaling not at 100 can cause the new window to be slightly large
Letterboxing also takes care of all the chrome you can change during a window’s session: just as toggling the menubar, sidebar, manually resizing, maximizing, full-screen, and more. There’s a couple of cases to backport from FF69 (findbar and docked dev tools).
So now, all those anomalies mean no weird non-rounded sizes, which drastically reduces the number or sizes that can be reported. So if you do maximize for a while, you won’t be unique in this metric, or if you do drag the browser wider/bigger for usability, again, you probably won’t be unique in this metric. There’s still a lot of width/height combos, and not that many Tor users: so staying at the default 1000×1000 (or 1000×900 etc) is the best move **for now**. But if your threat model doesn’t call for it, then resize away
I say **for now** because how we defeat entropy in “screen” metrics (screen, available screen and related @media css) will hopefully change and the potential damage from resizing the “chrome” will be drastically reduced. I’d tell you more, but I’m sure it’d just be boring :)
IMO, That rule is stupid. Someone can find out the size of the window! So what? This is rule based on the assumption you’ll run the browser full screen. Then someone can tell what size your monitor is. Which is probably the same size as at least another billion people so it’s not so unique huh?
Here,
in the address bar, type “about:config”
create 2 new integers
“privacy.window.maxInnerHeight””600”
“privacy.window.maxInnerWidth””1200”
and set the integer values to whatever you want in pixels.
> IMO, That rule is stupid. Someone can find out the size of the window! So what? This is rule based on the assumption you’ll run the browser full screen.
Then you don’t understand how Tor Browser/Firefox’s RFP’s works here. All metrics are **tied** to the inner window, and there are a lot of them: see https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html . So no, this does not assume full-screen, FS is just one of many possible inner window dimensions
> Then someone can tell what size your monitor is. Which is probably the same size as at least another billion people so it’s not so unique huh?
Then you don’t understand how this works. Sure there are some very common resolutions, but there are **lots** of real world values here: why should you be any more special than someone with a more unique value?
And you don’t understand entropy either, apparently. So what if you’re the same as lots of other people (“the same size as at least another billion”), what matters is that you’re easily identifiable as a Tor user (now you’re down to 6 million for example, of which only 1 million have the same screen res) .. and now I can easily detect you’re on Windows (so that makes 1 in 400K), and so on. Fingerprinting is combined uniqueness of many characteristics.
Well when you put it that way, my browser doesn’t match the usual TOR profile now does it?
“That’s not TOR! TOR browser windows are always X height by Z width plus or minus a few pixels”.
Yes I do understand this issue, I just don’t think window size is that big of a deal when it’s just privacy I’m interested in and not breaking the law. I’m not really worried about what ‘they’ know about me, I’m irritated they make money from it and I don’t get any!
There is always more that I dont know though. For example, on the site you linked.
If I load it up, it’s almost completely empty. Nearly all the entries have no data except for screen size and it still says firefox when using the TOR browser.
This is because JS is disabled globally (NoScript). If I temp allow it for that site all the data fills up. Now my question.
Do I have to allow the script to run ‘before they get any data back’ or is it only needed to display it on my end?
> Do I have to allow the script to run ‘before they get any data back’ or is it only needed to display it on my end?
There’s active and passive fingerprinting, and there’s client-side and server-side. Everything on that test page is just client-side JS and CSS (for now). There’s about eight or nine “methods” to defeat overall fingerprinting, that you can apply to each FPing threat. One of those is to reduces the attack surface. Disabling JS certainly does that. That’s what the safest level in the TB slider does.
> and it still says firefox when using the TOR browser
As the section header says, that’s for fun to show how easy it is to detect the browser (Firefox), version and OS. I’m trying to educate users that you can’t hide this, and that spoofing the User Agent is ineffective. Since TB is based on Firefox, 99% of the code is the same. I’m not “really” trying to detect Tor Browser (there are other ways to do this), I’m just using some JS for these. But where I can (and I could do more) be 100% certain, I do say that. As long as one of them says it (e.g from the resource test), then the others don’t matter (e.g the math test), because it only takes one to know it’s TB.
> I just don’t think window size is that big of a deal when it’s just privacy I’m interested in
Fingerprinting aims to make you unique. This facilitates tracking. The linkage of all your activity via a tracking / data broker creates a shadow profile of metadata. Screw up once (OpSec) and link that back to the real you, and there goes your anonymity. Tor Browser is built to be “anonymous” out of the box (i.e it doesn’t link back to the real you). But only you can really control your “privacy” (what you did), and “anonymity” (revealing who you are by your actions). This is what is called OpSec. Privacy and anonymity are two different things.
I suppose it’s just too much to expect that Tor can be configured to place tabs below the location bar…
Yes, let’s just join the Google led sheep flock instead…sigh
Upon update my Tor browser followed my OS setting and went into Dark Mode.
What is this “Dark Mode” in the OS setting?
I assume your being sarcastic? Dark mode is not a “windows 10 only” thing and for many people it’s far more comfortable for our eyes.
If your not, and you are running windows 10, open settings and search for “Dark” in the ‘find a setting’ box.
It is systemwide option in macOS. Some browsers show certain web sites dark.
Hi!
Since the update to tor browser 9.x my about:config preferences don’t stick anymore. They get reset every time I restart the browser. I tried setting a custom user.js within the profile folder but even that gets ignored / overruled. Can anyone help please?
Thanks in advance!
NSA
Could you please update https://www.ghacks.net/2018/11/26/can-you-use-the-tor-browser-without-tor-connection/ ?
They removed the user interface in the preferences to block cookies (and thus local storage, indexedDB, cache storage, service workers… all controlled by that setting), because it was mixed with tracking protections controls and they have removed tracking protection. Now about:config must be used.
You can use Toggle Cookies – https://addons.mozilla.org/en-US/firefox/addon/togglecookies/
Sets, block all – or allow first-party only.
Hello!
How to turn Windows Tor Browser 9.0 update check from automatic to manual?
In about:config,
app.update.auto is removed,
app.update.doorhanger: false can stop the annoying pop-ups,
but update check is still going on, if Tor Browser can not connect to Tor Project.
Can anyone help me please? Thank you in advance!
I have just turned back to previous version because version 9 doesn’t allow manual update any longer.