New Release: Tor Browser 10.0.15
Update: 9 April 2021: Android Tor Browser 10.0.15 is now available.
Tor Browser 10.0.15 is now available from the Tor Browser download page and also from our distribution directory.
This version updates Openssl to 1.1.1k. In addition, Tor Browser 10.0.15 includes a bugfix for when Javascript is disabled on websites.
Relay operators who use the Windows Expert Bundle are strongly encouraged to upgrade their relay.
Note: Tor Browser will stop supporting version 2 onion services in June (two months from now). Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.
The full changelog since Desktop Tor Browser 10.0.14 and Android Tor Browser 10.0.12 is:
- Windows + OS X + Linux + Android
- Update Openssl to 1.1.1k
- Bug 40030: Add 'noscript' capability to NoScript
- Android
- Update Fenix to 87.0.0
- Update NoScript to 11.2.4
- Update Tor to 0.4.5.7
- Translations update
- Bug 40045: Add External App Prompt for Sharing Images
- Bug 40047: Rebase android-components patches for Fenix 87.0.0
- Bug 40151: Remove survey banner on TBA-stable
- Bug 40153: Rebase Fenix patches to Fenix 87.0.0
- Bug 40365: Rebase 10.5 patches on 87.0
- Bug 40383: Disable dom.enable_event_timing
- Build System
Comments
Please note that the comment area below has been archived.
DuckDuckGo works again on…
DuckDuckGo works again on Safest security level! \o/ Thank you!
Working again for me too! …
Working again for me too! Thank you thank you Tor people!
I do not really search much but when I do I am doing research and it is important to be able to click on search page links with the highest security level, because when researching obscure topics you are often directed to other than well-known sites. For that matter, even major media sites have been found at times to be unwittingly serving malware.
Request: when Tor Project gets the "anonymously report an issue" tool ready, PLEASE explain how to use it in a post in this blog. Please note that requiring users to have an email account, chat account, etc. will exclude some users. OTH, Tails Project uses whisperback which is not perfect but does not require anything not already provided in a standard Tails. In the same way, any "secret" tokens or whatever should be provided with the latest TBB tar ball. It would be useful to be able to report both observations about strange behavior of the Tor network as well as documenting bugs. Alternatively, it would be fabulous if TP followed the Riseup example and had a Tor network health barometer on the home page, so that users can be alerted (and know they should be patient) if TP thinks the network is currently under attack.
> major media sites have…
> major media sites have been found at times to be unwittingly serving malware.
My virus scanner once encountered state-sponsored malware on the website of a major media corporation based in that same nation-state. Makes you wonder about the ties between money, politics, law, rights, and class.
> when Tor Project gets the "anonymously report an issue" tool ready, PLEASE explain how to use it in a post in this blog.
They did on February 09, 2021: https://vbdvexcmqi.oedi.net/anonymous-gitlab
> Tails Project uses whisperback
> any "secret" tokens or whatever should be provided with the latest TBB tar ball.
> if TP followed the Riseup example and had a Tor network health barometer on the home page, so that users can be alerted (and know they should be patient) if TP thinks the network is currently under attack.
Good ideas. I hope Tor Project looks into them. You can get their attention anonymously by reporting an issue. I don't see a barometer on RiseUp's home page, but here is Tor Project's Status portal: https://status.torproject.org/
And here is the Metrics portal: https://metrics.torproject.org/
Also recently relevant: https://vbdvexcmqi.oedi.net/contribute-to-tor-metrics-timeline
cool, been noticing the…
cool, been noticing the noscript tag acting weird
When will Snowflake bridge…
When will Snowflake bridge get interested in the stable release of the Tor browser?
"The current plan is later…
"The current plan is later this year."
The images in this blog are…
The images in this blog are not always fully loaded, because of REASON=DESTROY in streams. But why?
Is there any chance it would…
Is there any chance it would be possible to ask you to keep a live link to previous versions at least for a few days after a new release, in order to allow package management solutions (e.g. chocolatey) some time to update the tor package? currently every time you release a new version, it breaks the package which still points to the older version download link (right now it's 10.0.12 for example).
No need to reply, just food for thought.
Thanks in advance.
> keep a live link to…
> keep a live link to previous versions at least for a few days after a new release, in order to allow package management solutions (e.g. chocolatey) some time to update the tor package?
The previous versions are on live links. Copy the URL from the download page, and go up a few directories:
https://decvnxytmk.oedi.net/dist/torbrowser/
Or, better than that, this file -- whose name never changes -- can be parsed:
https://decvnxytmk.oedi.net/dist/torbrowser/update_2/release/downloads.j…
It redirects to aus1.*
Tell chocolatey's maintainers.
Was there yet another java …
Was there yet another java "leak"? I read about it on the Google Play feedback section for the Android app but assumed it only affected the Android version due to how crap it is and how little care Tor Devs have for it. I'm sure plenty of hidden services exploited their lack of user protection.
Can you provide a reference…
Can you provide a reference/link?
Just open Tor Browser's page…
Just open Tor Browser's page in Google Play, click on "Read All Reviews," and do Ctrl+F for "java".
Why does Tor Project neglect looking there for bug reports? You need to go and write in your app's description on its page (Play, GuardianProject) to tell people to bring their bug reports to reporting channels that are monitored!
They could be because of Bug 40030: Add 'noscript' capability to NoScript. But many of them are dangerously customizing about:config. A proper notice from developers could have mitigated their action.
No, all of those comments…
No, all of those comments are due to misunderstanding how the Safest security level works. This has no relationship to Java. Tor Browser does not disable Javascript via the internal Firefox preference. It uses NoScript to disable javascript for each page.
Are you sure they're due to…
Are you sure they're due to a misunderstanding? It's plausible that a website might reach an unanticipated condition if NoScript is blocking JavaScript and, as was true at the time, NoScript is blocking the "noscript" tag.
Breakage on web sites is…
Breakage on web sites is different from leaks/bypasses/etc. There are previous examples of NoScript failing at blocking javascript, but the current comments are not related to that.
You don't seem to understand…
You don't seem to understand, re-read the whole thing and focus on 2021-03-31: .onion page and they tell you to turn off Java Someone went onto a Tor .onion site using your official Android app and the service detected that it could run java, what more proof do you need? Let me guess: Uhhh... its the fault of NoScript and we aren't them! - Uhhh... its the fault of Mozilla and we aren't them! - Uhhh... the hidden service got it wrong, siwwy survus!
Tor = uncaring money sponge death cult
First, please be specific…
First, please be specific about *javascript*, not *java*. They are completely different languages and their exploitation are completely different.
The comment from 2021-03-31 says: "Lol try to look up a .onion page and they tell you to turn off Java when the search doesn't work and they're not competent enough to add a setting built into THEIR browser. Orfox is gone yet still better than this".
They should disable Javascript by using the Safest security level.
> You don't seem to…
> You don't seem to understand
I disagree. sysrqb's reply on April 20 explained it sufficiently.
OP asked if there was a Java "leak". There wasn't and isn't, neither for Java nor JavaScript. (Browsers run JavaScript. Java (not script) would require a plug-in that users would have to install themselves. It would activate if a website embeds Java applets which are basically never used in web design anymore.) Real leaks by JavaScript in Tor Browser happened over the years, but this isn't one of them. The messages from websites are most likely because of users being on a certain security level, or because of the recent blocking of the "noscript" HTML tag by NoScript, or because of other misconfigurations done by the users such as in about:config.
> the service detected that it could run java
Not necessarily detected correctly.
If a message was due to the "noscript" tag being blocked, then the message was probably false because that was a new feature in NoScript that websites most likely were not prepared to respond to and summarily stumbled and vomited up a result. Tor Browser in the meantime was blocking or allowing JavaScript ("script" in NoScript) according to the security level correctly as normal.
Mozilla was not involved. NoScript rolled it out suddenly, possibly as an automatic update. Tor Project didn't test it. Websites were handling the tags in the manner they had always expected them to be. Tor Browser kept on treating JavaScript the way users expected it would.
When i enter about…
When i enter about:networking#networkid in the url there is a value called network id. what is this value and how is it used?
Please see: https://gitlab…
Please see: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/338… and https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/338…
we don't have to spoof it…
What's the harm in spoofing it right now? Make it identical for every Tor Browser. Is the network ID used for anything more than Firefox Private Network (VPN)? Will Tor Browser ever use Firefox Private Network? If the answers are "no", then what's the harm in spoofing it now to mitigate future changes by Mozilla?
I's no longer possible to…
I's no longer possible to connect to version 2 onion services with Tor Browser 10.5a13. Wasn't the deadline supposed to be June 2021?
Correct, as noted above: …
Correct, as noted above:
Note: Tor Browser will stop supporting version 2 onion services in June (two months from now). Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.
https://vbdvexcmqi.oedi.net/v2-deprecation-timeline
Tor Browser Alpha contains an alpha version of tor version 0.4.6 where v2 onion support is already removed.
The Tor Browser is a very…
The Tor Browser is a very useful amd effective tool in assisting in finding necessary information