New Release: Tor Browser 10.0.17
Tor Browser 10.0.17 is now available from the Tor Browser download page and also from our distribution directory.
This version updates Firefox to 78.11esr. In addition, Tor Browser 10.0.17 updates NoScript to 11.2.8, HTTPS Everywhere to 2021.4.15, and Tor to 0.4.5.8. This version includes important security updates to Firefox for Desktop.
Warning:
Tor Browser will stop supporting version 2 onion services later this year. Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.
Note: The Android Tor Browser update will be available next week.
The full changelog since Desktop Tor Browser 10.0.16:
- Windows + OS X + Linux
Comments
Please note that the comment area below has been archived.
The page linked on about:tor…
The page linked on about:tor doesn't mention the v2 onion deprecation https://jqlsbiwihs.oedi.net/onionservices/#v2-deprecation as of 19:00 utc
Yes, thanks for letting us…
Yes, thanks for letting us know. Please refer to https://vbdvexcmqi.oedi.net/v2-deprecation-timeline until https://gitlab.torproject.org/tpo/web/support/-/issues/202 is resolved.
Do I change the fingerprint…
Do I change the fingerprint if I display the Menu Bar on top?
I go to View-Toolbars-Menu Bar ( checked)
Or if I remove the Bookmark Toolbar:
View-Toolbars-Bookmarks Toolbar
Thanks
Please see https://blog…
Please see https://vbdvexcmqi.oedi.net/comment/291884#comment-291884
The new banner on about:tor…
The new banner on about:tor, "Tor is ending support...," links to Learn More, but that page doesn't say anything about v2 or v3. The page does however give a v2 address, and only a v2 address, as a proper example of an onion service under the question, " I've heard about websites that are only accessible over Tor."
Yes, thanks for letting us…
Yes, thanks for letting us know. Please see https://vbdvexcmqi.oedi.net/comment/291865#comment-291865 now.
Please note the second part…
Please note the second part of that comment concerned that Support lists "only a v2 address". The GitLab issue in your reply does not mention it. Here are some support pages that mention "only a v2 address":
https://jqlsbiwihs.oedi.net/onionservices/onionservices-1/
https://tb-manual.torproject.org/onion-services/#troubleshooting
https://jqlsbiwihs.oedi.net/onionservices/onionservices-3/
Regarding the deprecation of…
Regarding the deprecation of v2 onions, has there been any news from DuckDuckGo about upgrading their service to v3?
I have not sighted any news about this.
P.S. Why is the DuckDuckGo search not set to Onion by default? Is it due to their use of v2?
Yes, they are testing a v3…
Yes, they are testing a v3 onion address and that should be available in the near future.
Their onion address is not used as the default search engine because they have concerns about supporting the resulting load. The ticket tracking this request is https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/214….
always wondered about this,…
always wondered about this, thanks for the info
> they have concerns about…
> they have concerns about supporting the resulting load.
So tell onion service admins to integrate OnionBalance for .onion with their load balancers for .com, .org, etc.
They are aware of…
They are aware of OnionBalance.
Tor WARN: Received http…
Tor WARN: Received http status code 404 ("Consensus is too old") from server 78.47.103.109:443 while fetching consensus directory.
Really don't know what's…
Really don't know what's wrong with you, but you stopped fixing even security bugs :(
https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issu…
This will be happen when 10…
This will be happen when 10.5 becomes stable.
Tor WARN: Received http…
Tor WARN: Received http status code 404 ("Consensus is too old") from server 78.47.103.109:443 while fetching consensus directory.
On every startup?
Why did you update NoScript…
Why did you update NoScript to 11.2.8 (known broken version)?
How is 11.2.8 broken?
How is 11.2.8 broken?
https://forums.informaction…
https://forums.informaction.com/viewtopic.php?f=7&t=26328
https://vbdvexcmqi.oedi.net…
https://vbdvexcmqi.oedi.net/comment/291742#comment-291742
NoScript automatically…
NoScript automatically updates.
> Bug 40432: Prevent probing…
> Bug 40432: Prevent probing installed applications
No sign it was backported to stable by
https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/a5a…
That's not good.
I don't understand what you…
I don't understand what you mean. That is the stable branch (10.0 series), and this is the branch used for 10.0.17: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/ce3…
Bug 40432 has no evidence of…
Bug 40432 has no evidence of that commit. MR too.
Yes, that's a fair criticism…
Yes, that's a fair criticism. I added on a comment on the MR: https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requ…
Thanks for commenting about it.
Does this mean hidden…
Does this mean hidden services can see what apps and software we have installed? Cheers for the merge request as well, basically an instant fix to all users. Carefully, he's a hero!
Yes, onion services would be…
Yes, onion services would be able to perform the same probing as other web sites.
EFF (Full): A new ruleset…
EFF (Full): A new ruleset bundle has been released, but it is older than the extension-bundled rulesets it replaces. Skipping.
Yes, that's because they don…
Yes, that's because they don't update rulesets on their update channel. They stopped to accept new rulesets, but that doesn't mean the end of maintaining the existing ones. So, at least, a June update should exist.
Hi, I'm from Iran, I cannot…
Hi, I'm from Iran, I cannot connect to Tor (with or without bridge) since yesterday even if I am using a proxy that changes my IP
There is a sharp increase in…
There is a sharp increase in bridge users from Iran using obfs4 that started at the end of the month 2021-05 (May). The increase is nominal when compared to bridge users from all countries in the same time period.
Try changing your bridge. Try a different obfs4 bridge, or try a meek bridge. If you use a proxy or VPN in the chain before Tor, there could be an issue in that proxy. You could also try a bridge that uses a port that is usually open such as 443. If none of those help you, I guess it could be an issue in your ISP or country. Here's some more information about connecting from Iran.
Please supply more information if you find any. Read how to contribute to the Tor metrics timeline.
DuckDuckGo founder and CEO: …
DuckDuckGo founder and CEO: “We're delighted that EFF has now entrusted DuckDuckGo to power HTTPS Everywhere going forward, using our next generation Smarter Encryption dataset."
Where are the statements from the Tor Project? Have you silently entrusted DuckDuckGo too?
Hi again, I posted a comment…
Hi again, I posted a comment about 30 miniutes ago and said I cannot connect to Tor in Iran since yesterday, I downloaded the last Tor version and now I am able to connect to Tor network, Thank you guys!
FYI: * Last time - (16.05…
FYI:
* Last time - (16.05.2021 & TBB10.0.16) https://vbdvexcmqi.oedi.net/comment/291807#comment-291807 - I had "10FVVUV & 99.01% unique".
* For now (04.06.2021 & TBB10.0.17) I got -
"0FVVVV - This is your identifier. It was seen 5002 times among 54006 tests so far.
That means it is 90.74% unique. Want to try again? We have generated your identifier based on 0 applications you have installed. Out of 24 applications in our database."
Is it a final solution?
> That means it is 90.74%…
> That means it is 90.74% unique.
I get 0FVVVV too on Tor Browser 10.0.17. The identifier has now been seen 6657 times among 64255 tests so far. That means it is 89.64% unique... based on 0 applications you have installed out of 24 applications in our database. It's looking better.
As long as that identifier is based only on detecting whether applications are installed, comparing it to identifiers retrieved from other browsers makes some sense but could be improved. It wouldn't make sense to compare browser fingerprints of regular browsers like Chrome and Safari with the fingerprints of Tor Browser because Tor Browser is made to stay as identical as possible in every installation, but regular browsers are not. Sites like EFF's panopticlick give comparisons that would be more meaningful if they compared Tor Browser with only other Tor Browsers to find anomalies in its intended uniformity. That is the goal of projects like TorZillaPrint.
the sound has stopped…
the sound has stopped working when I was watching YouTube
Does the sound immediately…
Does the sound immediately stop working or it stops after some time? Does it happen with all videos?
I just downloaded from here,…
I just downloaded from here, the latest version for android, and now it is flooded with CaptCha, what's up with that?
Unfortunately the app does…
Unfortunately the app does not have any control over CAPTCHAs, that is presented by the web site. Many Tor exit nodes have a bad reputation due to people abusing the Tor network, and that results in real people seeing CAPTCHAs.
> it is flooded with CaptCha…
> it is flooded with CaptCha
That's normal. Read:
https://vbdvexcmqi.oedi.net/comment/283051#comment-283051
https://vbdvexcmqi.oedi.net/comment/283458#comment-283458
https://vbdvexcmqi.oedi.net/comment/283621#comment-283621
https://vbdvexcmqi.oedi.net/comment/285858#comment-285858
https://vbdvexcmqi.oedi.net/comment/286743#comment-286743
I’m unable to download…
I’m unable to download anything using Tor. What gives?
What is your operating…
What is your operating system and what is happening when you try downloading a file?
When loading .onion sites…
When loading .onion sites like https://27m3p2uv7igmj6kvd4ql3cct5h3sdwrsajovkkndeufumzyfhlfev4qd.onion/ (=theintercept.com) with TBB 10.0.17, you can't stop loading clearnet urls, non-onion, images with 'permissions.default.image'. Showing with Tools -> Page Info. Is this new? Whats going on?
Can you reproduce this with…
Can you reproduce this with older Tor Browser versions? Tor Browser never explicitly blocked this (see https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/198…)
But you can test older versions: https://archive.torproject.org/tor-package-archive/torbrowser/
"[...] never explicitly…
"[...] never explicitly blocked"
Wrong. Till "Wed, 22 Jan 2020" it WAS working.
Read mozillas docs and you know why this is not working as it should be: "-pref("permissions.default.image", 1);[...], 3-dontAcceptForeign"
https://hg.mozilla.org/mozilla-central/rev/dea8bc3b320a
author pbz
Wed, 22 Jan 2020 10:45:15 +0000
changeset 511088 dea8bc3b320acdd689a27596a0a54eb794941333
parent 511087 74493854a1b6478d5a9c3674df1369788783eeee
child 511089 798234088fd904c05e9312a0f703980e284d3bf7
push id 37045
push user csabou@mozilla.com
push date Wed, 22 Jan 2020 21:48:55 +0000
#---------------------------------------------------------------------------
# Prefs starting with "permissions."
#---------------------------------------------------------------------------
+# 1-Accept, 2-Deny, Any other value: Accept
+- name: permissions.default.image
+ type: RelaxedAtomicUint32
+ value: 1
+ mirror: always
[...]
-pref("permissions.default.image", 1); // 1-Accept, 2-Deny, 3-dontAcceptForeign
> with TBB 10.0.17, you can…
> with TBB 10.0.17, you can't stop loading clearnet urls, non-onion, images with 'permissions.default.image'.
Note: that will affect your browser fingerprint
"that will affect your…
"that will affect your browser fingerprint"
Sure, if you define that as normal that .onion sites load tracker, clearnet-cdns like akamai, amazon, microsoft and the user is strangle enough prohibited to stop this.
When the TBB normally loading Flash and Java, to stop this "will affect your browser fingerprint", too.
I updated my tor only to…
I updated my tor only to find my virus checker sees it as malware now ???
and puts it in quarantine
Yes, unfortunately that…
Yes, unfortunately that sounds like https://jqlsbiwihs.oedi.net/tbb/tbb-10/
That FAQ answer is missing…
That support FAQ answer does not state that the error is usually because the virus scanner's maintainers have not updated its virus definition files to include the very new version of Tor Browser that's usually less than 3 days old when most complaints appear. Often, the user simply has to give them some time after Tor is released and then update their virus scanner. If the user doesn't want to wait, then yes, they can follow the linked answer as it's currently written to configure their scanner to ignore and never scan Tor Browser's EXE files. I personally don't like that answer.
When will Snowflake get…
When will Snowflake get integrated in the stable release?
It is scheduled for release…
It is scheduled for release at the end of this month.
Shortly after launch it…
Shortly after launch it tries to connect tcp 78.198.124.6:110. 110 is pop3. Is this normal behaviour?
Yes, that is the port on…
Yes, that is the port on which the relay is configured: https://metrics.torproject.org/rs.html#details/E11FC7C83F417808A4CDD84A…
The relay can listen for connections on any port, and this relay's operator chose port 110.
> this relay's operator…
> this relay's operator chose port 110
These should be noted also:
- https://sgapqzbrdr.oedi.net/relay/setup/#questions-you-should-clar… -- "We recommend port 443 if that is not used by another daemon on your server already. ORPort 443 is recommended because it is often one of the few open ports on public WIFI networks. Port 9001 is another commonly used ORPort."
- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorFAQ#how-can-i-… -- "Expose your Tor relay on port 443 (HTTPS) so that people whose firewalls restrict them to HTTPS can still get to it. Also, you should expose your directory mirror on port 80 (that even works if Apache is already listening there; but not working for a bridge)."
- https://2019.decvnxytmk.oedi.net/docs/faq.html.en#FirewallPorts
- https://sgapqzbrdr.oedi.net/relay/setup/bridge/debian-ubuntu/ -- "Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port."
- https://vbdvexcmqi.oedi.net/comment/1620#comment-1620 -- "There are also rumors that some of Iran is blocking port 443, so putting your Tor server on strange ports is actually helpful for that too."
// If a window is destroyed,…
this is null
during New Identity
Do you know what is null? …
Do you know which variable is null? `state`? `state.incognito_session_exists`?
'this' in 'this…
'this' in 'this.onIncognitoDestruction()'
Thanks! Sorry, now I realize…
Thanks! Sorry, now I realize I misread your original comment.
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/404…
Hey, are the developers…
Hey, are the developers aware of this?
https://forum.f-droid.org/t/classyshark3exydus-found-five-trackers-insi…
Just wondering what's up. A lot of people are concerned.
Yes, we've received many…
Yes, we've received many questions and comments about this decision. I didn't know about that thread, but I see other people already explained our position and why took this path.
@sysrqb An explanation like…
@sysrqb An explanation like that or clearer should be on the app store pages because the app stores are where new mobile users ultimately decide whether to install it or not, and it's where most mobile users complain. Don't let ideas for FAQ answers languish in some blog comment.
Many questions you haven't…
Many questions you haven't bothered to answer and now can't even be bothered to find the thread? Does this mean ALL Android users will always be getting tracked because you can't bother to remove it? Do trackers get to see what hidden services we visit?
No, the trackers are…
No, the trackers are disabled. Zero information about your browsing behavior should leave your device. If anyone finds this is not the case, then that is a bug and we will fix it. However, the fact that we didn't completely remove the trackers in the app does not mean they are enabled.
Site doesn't work: https:/…
Site doesn't work: https://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?drive…
Just wanted to say thanks…
Just wanted to say thanks for all the work you do!
I just got this error when I…
This error appeared in a red box above this blog post when I posted a comment:
Deprecated function: Function create_function() is deprecated in GeSHi->_optimize_regexp_list_tokens_to_string() (line 4698 of vendor/geshi/geshi/src/geshi.php).
Yes, that is being tracked…
Yes, that is being tracked in https://gitlab.torproject.org/tpo/tpa/team/-/issues/40316
Tor as covered by…
Tor as covered by journalists. Hey ggus, add this to https://decvnxytmk.oedi.net/press/ :
Shift - Living in the Digital Age, 2021-06-11
Deutsche Welle (DW)
about the darknet and Tor Project
https://www.dw.com/en/shift-living-in-the-digital-age/av-55987407
See also:
DW's director general, Peter Limbourg, replies to how traditional media organizations can navigate digitalization and social media.
https://www.dw.com/en/dws-director-general-we-have-all-the-opportunitie…