New Release: Tor Browser 10.0.5
Updated on 27 November 2020: Android Tor Browser 10.0.5 is now available. (Originally published on 17 November)
Tor Browser 10.0.5 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox on desktops to 78.5.0esr, Fenix on Android to 83.1.0 and updates Tor to 0.4.4.6. This release includes important security updates to Desktop Firefox, and important security updates to Android Firefox.
Note: Android Tor Browser 10.0.5 is delayed until next week. In the future, new Tor Browser versions for Android and Desktop should be published at the same time.
The full changelog since Tor Browser 10.0.4 (Desktop) is:
- Windows + OS X + Linux
- Update Firefox to 78.5.0esr
- Update Tor to 0.4.4.6
- Bug 40212: Add new default obfs4 bridge
The full changelog since Tor Browser 10.0.4 (Android) is:
- Android
- Update Fenix to 83.1.0
- Update Tor to 0.4.4.6
- Bug 40212: Add new default obfs4 bridge
- Build System
- Android
Comments
Please note that the comment area below has been archived.
To Tor, TURN OFF all my…
To Tor,
TURN OFF all my updates, a bloody never ending constant stream of updates, more updates. Bugger off, I have loooked at the Tor settings and aparrently there is no turn off button, Mmm why am I not that surprised.
John.
Sorry, but updates are…
Sorry, but updates are important. You can control automatic updates through the policy.json file: https://github.com/mozilla/policy-templates/blob/master/README.md#disab…
As always, disabling updates is **strongly** discouraged.
Are you on Android? Because…
Are you on Android? Because desktop is based on Firefox ESR and doesn't update more than about twice a month. If your comment is a taste of things to come for desktop, we'll be hearing more complaints like yours after desktop eventually migrates to Firefox's standard releases. Everyone better get used to saving their tab sessions as bookmarks.
This is security software,…
This is security software, updates are a good thing
Wish that there were more…
Wish that there were more performance/load time improvements
That's coming soon. You may…
That's coming soon. You may be interested in watching the Sponsor 61 work: https://gitlab.torproject.org/groups/tpo/-/milestones/16
Thank you, Tor Project…
Thank you, Tor Project. After update, the browser opened to a purple tab, "Tor Browser has been updated," and the tab flap says "About Tor". Is it supposed to be purple? I was expecting the black layout that asks for donations.
I sure hope that when Desktop and Android are published at the same time that Desktop will still be able to access about:config.
Yes, the "Tor Browser has…
Yes, the "Tor Browser has been updated" page is now remaining purple, even if the background on about:tor is black (or another color). Some users became concerned on a previous update when the "updated" page unexpectedly was black. We hope this change will provide continuity across versions. You can see the details at https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/40021
Regarding about:config, there aren't any plans for removing access on desktop.
Why has about:config been…
Why has about:config been blocked on the android version? And why is there no longer any option to change the home page to blank on android? Not everyone is into the anarcho-grunge purple esthetic appearing on their phone every time they open their browser...lol
> why is there no longer any…
> why is there no longer any option to change the home page to blank on android?
I'm surprised there isn't. Big Tor logos can be a liability in the presence of authorities hostile to privacy.
Please comment on https:/…
Please comment on https://github.com/mozilla-mobile/fenix/issues/7865
can TOR group READD about…
can TOR group READD about:config? it is very important...
Out of curiosity, is Android…
Out of curiosity, is Android Tor Browser or Android Firefox or Fenix able to access about:config at this address?
chrome://global/content/config.xhtml
Desktop Firefox and Tor Browser has a new interface for about:config since some months ago, but its old interface is accessible at that address. I bookmarked the old interface because the new interface doesn't have the feature to sort columns.(Only Desktop) -> (Desktop…
(Only Desktop) -> (Desktop Only)
What means this entry:…
What means this entry:
firefox.settings.services.mozilla.com 443
in about:networking#http ?
https://wiki.mozilla.org…
https://wiki.mozilla.org/Firefox/RemoteSettings
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/400…
Can I disable Firefox Remote…
Can I disable Firefox Remote Services manually in about:config until issue 40038 is closed? Would this be safe?
Issue 40038 is closed and…
Issue 40038 is closed and implemented. Remote Services will not be completely disabled because Firefox (and Tor Browser) rely on downloading some updated information from Mozilla. We do not recommend you completely disable Remote Settings.
Nice.
Nice.
[11-18 09:51:46] Torbutton…
[11-18 09:51:46] Torbutton WARN: Version check failed! JSON parsing error: SyntaxError: JSON.parse: expected ',' or ']' after array element at line 19 column 1 of the JSON data
Thanks, this can be ignored.
Thanks, this can be ignored.
Hi, why is the Android…
Hi,
why is the Android release delayed? Is there any ticket explaining the problem?
Thanks
The delay was due to…
The delay was due to insufficient testing of the Android version. We simply needed additional time for testing the new version in an Alpha version before publishing it as a stable version.
Official name is "Firefox…
Official name is "Firefox for Enterprise", not "Firefox for Desktop", so this is "Tor Browser for Enterprise".
The purpose of notating a…
The purpose of notating a version as "Desktop" or "Android" is only distinguishing between the two general platforms. The goal is not distinguishing between the Extended Support Release ("for Enterprise") and Rapid Release ("Release"), therefore we describe these are Android Tor Browser and Desktop Tor Browser.
What's with disabling the …
What's with disabling the "picture-in-picture" feature for videos? It has to be reenabled via about:config. It can't be a security risk, surely?
https://gitlab.torproject…
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/401…
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/401…
Thank you thank you! I…
Thank you thank you! I believe I have seen this used in the wild against Tails users. I presume the version of Tor Browser in current Tails inherits the block?
There is still the bug of…
There is still the bug of DDG searches made in the address bar disappearing when hitting the back navigation button after visiting another website. Really annoying (I don't use the normal search bar, just the address bar for searches, like many people). Will this ever be fixed, or is it a firefox/mozilla bug/feature?
This is being discussed and…
This is being discussed and whether the usability concerns outweigh any privacy concerns.
DDG still discloses the…
DDG still discloses the search query by showing it in the URL (submits the form via the GET method) on the TorBrowser's Safest security level (DDG's scripts are not allowed in NoScript). The workaround is to always search in the weaker TB security mode :(, or manually add DDG to the NoScript's Trusted sites before each search(!).
Consider adding DDG to the Trusted Sites list of NoScript.
No, that is not the case…
No, that is not the case. The search query is shown in the url bar when using the Safest security level because DDG redirect the query from duckduckgo.com to html.duckduckgo.com, and that redirect changes the request from a POST to a GET. Subsequent queries on html.duckduckgo.com use POST. However, aside from potential shoulder-surfing, I don't see much benefit to using POST requests, especially given the usability problem it introduces as described by the OP.
Update 10.0.05 not working…
Update 10.0.05 not working keep getting Onion site Has Disconnected using win 7
You still have this problem…
You still have this problem. please check https://ibb.co/syJ6c10. thanks.
Yes, unfortunately…
Yes, unfortunately letterboxing does not always handle this correctly.
https://bugzilla.mozilla.org/show_bug.cgi?id=1407366#c16
https://bugzilla.mozilla.org/show_bug.cgi?id=1591054
I think its behavior now is…
I think its behavior now is fine. It was worse before letterboxing because those bars, which are sized by whichever windowing theme you happen to be using, gave your page area's dimensions a high-entropy fingerprint. Is your issue that the page area isn't centered vertically in the letterbox? That would be relatively easy to patch. Is your issue that you want the page area to fill the vertical space and adhere to letterbox increments? Then, the vertical size of the entire window would have to snap-decrease rather than the letterboxing in one tab.
Those bars don't really need to be used. The Menu Bar's features are in the 3-lines hamburger menu on the right-hand side, and the Bookmarks Toolbar is candy for shoulder surfers and makes your browser fingerprint stand out across every tab and every New Identity session. Instead, you could Customize the main toolbar and drag the button for the Bookmarks Menu onto the main toolbar, or you could open the Bookmarks Sidebar when you need it.
this version play youtube…
this version play youtube vid without change confg?
Yes
Yes
As far as I know, Tor…
As far as I know, Tor Browser always has been able to play youtube videos in standard security mode. Changes were needed only in the higher security modes: safer and safest.
Great!
Great!
Tor is awesome
Tor is awesome
Thank you very much for your…
Thank you very much for your hard work. This time, I experienced something a bit strange, though perhaps accidental and unimportant.
1) While using 10.0.4, I saw the "A new Tor Browser update is available" balloon popped up.
2) I clicked "See what’s new" and came to this page.
3) I didn't click "Download Update" nor "Not Now" but was doing something else.
4) After a while I noticed that the only blue "Download Update" rectangle remain on the Browser's main window, the said balloon not having disappeared entirely nor remaining (redrawn) properly, but only the blue part remained.
5) I thought I'd update later, after backing up 10.0.4 just in case, so I ignore this blue "button", which eventually disappeared... or so I thought.
6) After a while I restarted TorBrowser 10.0.4, then updating started (perhaps I accidentally clicked "Download Update" in 5, though I didn't think so...). So from my point of view, this was a force-update to 10.0.5, without asking. So far I can't reproduce this behavior, though...
The above is essentially harmless, just that 10.0.4 was updated to 10.0.5, which I was going to do anyway. However, at least the "update is available" balloon is (was) not redrawn properly in some situation, when you don't close it explicitly by clicking "Not Now" and keep it floating for a while. That's what I think I experienced anyway. Just something cosmetic, I guess.
Drawing (showing) the blue "Download Update" part floating on the page is trivially easy via CSS, so if this is allwed and accepted by the end user, potentially a malicious web site can show the same blue "button" that looks like a button to update Tor Browser and let the user download something else. In reality, probably no one is tricked by that, though... Thanks again.
Yes, all updates are…
Yes, all updates are downloaded automatically and the update process is completed on the next start of the browser, only if the download completed successfully before you quit the browser during the previous session.
Is Android Version coming…
Is Android Version coming with file upload fixed???
Quit ignoring comments ffs
https://gitlab.torproject…
https://gitlab.torproject.org/tpo/applications/fenix/-/issues/40110
Since updating on 17th many…
Since updating on 17th many things do not work now. My bookmarks have disappeared. I am not able to get new bookmarks to add to the library either. How can I recover my book marks and adding facility?
This sounds like https:/…
This sounds like https://support.mozilla.org/en-US/kb/recover-lost-or-missing-bookmarks
https://vbdvexcmqi.oedi.net…
https://vbdvexcmqi.oedi.net/comment/286824#comment-286824
what is gitlab approval time…
what is gitlab approval time? problematic email domain is excluded? I wait some days
I make this comment in blog post "From Trac into Gitlab for Tor" but it's not approved.
Accounts are usually…
Accounts are usually approved within a day (approval is a manual process). If approval takes longer than this, then please join IRC (#tor-project channel) and follow up on the request.
https://decvnxytmk.oedi.net/contact/
You have not uploaded 10.0.5…
You have not uploaded 10.0.5 for android on the download page.
It is still 10.0.4.
Thanks, this is fixed now.
Thanks, this is fixed now.
Works great. Thank you!
Works great. Thank you!
it is impossible to download…
it is impossible to download 10.0.5 for android from this site by using the previous android version of Tor browser.
in about:config set…
in about:config
set extensions.torbutton.resize_new_windows to false,
but after restart torbrowser this setting again TRUE
this happens every time, every time you start torbrowser.
why is it so? maybe bug?
No, not a bug. It is reset…
No, not a bug. It is reset at startup such that it is |true| when letterboxing and resistFingerprinting are enabled.
Gah. Your tab just crashed…
Gah. Your tab just crashed.
We can help!
Choose Restore This Tab to reload the page.
MacBook Pro 2020 M1 please fix
Thanks, yes, we're…
Thanks, yes, we're investigating it here https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/402…
I am on Android. For some…
I am on Android. For some reason the auto updates enabled it self or idk maybe I had them enabled and tor updated to 10.0.5. The interface is ok. But when I went to bookmarks they were all changed. Before, they were in chronological order, so that the first I saved were at the top and the newer ones at the bottom. But it seems like, when it was importing them, it did not follow any order, because now the bookmarks are randomized. Some that were at the top are now at the bottom and vice versa. They are not even in alphabetical order. I cannot find anythjng because of this. I also cannot fix it because in Android I cannot change the bookmark's place (In PC I can just drag and drop it to a new location, but holding them on android just "selects" them and the only option is delete). Maybe you should add an option to change bookmarks' place/location so I (and other people who might have had the same problem) can fix it. Maybe some kind of slider/button at one side that you can hold then drag to move the location.
This sounds like https:/…
This sounds like https://github.com/mozilla-mobile/fenix/issues/13426
Hi, Tor Browser Guys, I…
Hi, Tor Browser Guys,
I just wanted to tell you that I needed to downgrade Tor Browser to a pre-10.0 version because on my Android (8.0) smartphone it still is not possible to do about:config!!
For me, since about Tor Browser version 10, there are three fatal errors, every single one of them knocking out my acceptance to this app:
You got an extensive email about this by me.
You did not resolve this error.
(Test: Do some noscript configuration with site-specific settings. Export it to a file. Do completely different settings. Import the saved setting. Nothing is changed.)
Starting with about 10.0.2 this is the worst Tor Browser.
Sorry to tell.
Hello, For (1), Mozilla is…
Hello,
For (1), Mozilla is tracking that in https://github.com/mozilla-mobile/fenix/issues/7865
For (2), correct, adjusting the cookie settings was not recommend in the previous version and it is not recommended on desktop. Our only goal was providing the same supported functionality from Tor Browser 9.5.4 and Tor Browser 10.0.3. Tor Browser does not accept third-party cookies, but it saves first-party cookies within a session. Currently there is not a way to disable first-party cookies, however they are deleted when you quit the app.
For (3), thanks for reporting this. We will investigate this. https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/402…
About your number 3, in case…
About your number 3, in case you didn't know, NoScript permissions are reset every time you change the security level. If you import permissions and then change your security level, the permissions will be deleted anyway unless you select "Override Tor Browser's Security Level preset" in NoScript's options. Be cautious about that option because customized permissions can be observed making uniquely identifiable connection patterns and can therefore de-anonymize your activity.
https://2019.decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled
https://jqlsbiwihs.oedi.net/tbb/tbb-14/
Firstly, thank you for Tor…
Firstly, thank you for Tor Browser! You developer guys are doing a wonderful job.
Re: your reply to a commenter above - "Yes, all updates are downloaded automatically and the update process is completed on the next start of the browser, only if the download completed successfully before you quit the browser during the previous session.|" (my emphasis) - so, a suggestion - perhaps when a user clicks on the 'close' button to terminate Tor Browser, but there is in fact an update downloading in the background at that moment, you could implement a pop-up message informing the user that Tor Browser is in the process of updating, and saying something like "an update is downloading right now. Are you sure you want to close Tor Browser, or would you rather wait until the update download is complete?".
Tor Browser weighs in at around 90MB, which may seem like nothing to those with unlimited bandwidth, but is a significant amount of data to those with limited (and costly) monthly data allowances.
Keep up the good work. The world needs you. ... (Just one thing, though; is there no way to detect and do something about these "exit nodes operated by bad guys" one reads about?
The update process came with…
The update process came with the source code from Firefox. It's developed by Mozilla. Tor Project basically modifies the links and the files for Tor Browser's updates instead. You should write that suggestion on Mozilla's bug tracker.
There are ways to detect malicious exit nodes and ways to report them.[1][2] Over the years, many malicious or outdated relays have been discovered and ostracized.[3][4][5][6][7][8]
I just started using the…
I just started using the Android version after buying my first smartphone. Despite the UI regressions in Fenix, you've still overcome and made a solid product. I really appreciate the work y'all do.
I don't know whether this…
I don't know whether this will be answered, let alone seen (since The Tor Blog often stops at a certain point from approving comment submissions), but here goes:
Why are these links seen as not secure, and when I click on the padlock icon with a red slash through the padlock, there is no information about Tor nodes? Links which begin like these:
data:image/png;base64
Boggles my mind.
From closed "New Release:…
From closed "New Release: Tor Browser 10.5a4"
https://vbdvexcmqi.oedi.net/comment/290611#comment-290611
">Don't mix foreign webstorage with browser configs!
That was a decision made for Firefox, please contact them."
Great)-:.
From my own experience it's bound to fail -sorry.
You have more influence to convice Mozilla to do not
so obvious illogical things. Wrong doing against browser/Firefox/Torbrowser security.
So much discussions about convenience but for such a thing -mix foreign data with browser config!- there's only silence. Ehm.... .
If Mozilla want's to be trusted, it's Mozillas job to explain why it's a good idea to mix
foreign webstorage with browser configs. Logically explaining.
Hi, there is a new version…
Hi, there is a new version of openssl out, fixing a security issue. For next Tor release I think better update.