New Release: Tor Browser 10.5a6

by gk | December 17, 2020

Tor Browser 10.5a6 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release updates Firefox to 78.6.0esr for desktop and Firefox for Android to 84.1.0. Additionally, we update Tor to 0.4.5.2-alpha for desktop users (Android users got that already with 10.5a5) and OpenSSL to 1.1.1i for everyone. This release includes important security updates both for desktop and Android users.

This version brings back a functioning meek bridge, and also allows users to automatically get bridges within Tor Browser again.

Note: Tor Browser 10.5 does not support CentOS 6.

The full changelog since Tor Browser 10.5a4 (desktop) and 10.5a5 (Android) is:

  • All Platforms
    • Update NoScript to 11.1.6
    • Bug 40175: Update obfs4proxy's TLS certificate public key pinning
    • Bug 40176: Update openssl to 1.1.1i
  • Windows + OS X + Linux
    • Update Firefox to 78.6.0esr
    • Update HTTPS Everywhere to 2020.11.17
    • Update Tor to 0.4.5.2-alpha
    • Bug 33803: Add a secondary nightly MAR signing key [tor-browser]
    • Bug 40138: Move our primary nightly MAR signing key to tor-browser
    • Bug 40159: Update snowflake to ece43cbf
  • Android
    • Update Fenix to 84.1.0
  • Linux
    • Bug 40226: Crash on Fedora Workstation Rawhide GNOME
  • Build System
    • All Platforms
      • Bug 40169: Update apt package cache after calling pre_pkginst, too
      • Bug 40183: Pick up Go 1.15.6
    • Windows + OS X + Linux
      • Bug 40081: Build Mozilla code with --enable-rust-simd
      • Bug 40166: Update apt cache before calling pre_pkginst in container-image config
    • Android
    • OS X
      • Bug 40147: Remove RANLIB workaround once we pick up 0.4.5.2-alpha

Comments

Please note that the comment area below has been archived.

December 21, 2020

In reply to gk

Permalink

June 2021 is a long time away. Since the release of 10.0 in October 2020, one of the issues with the most complaints and loss of trust in Tor Browser has been about Android's permissions.[1][2][3][4][5][6][7][8][9][10] Until the resolution is released, it would help everyone if Tor Project, in the app's descriptions on the app stores (Google Play and F-Droid), adds or links to an explanatory statement like your (gk's) comment and/or the replies by other Tor Project developers, some of which are in references 1-10 from the Tor blog.

Most people have already uninstalled and moved away from what I hear. Its not possible to actually tell because creating metric data for the number of Android based update requests is probably also too much of a burden for the devs. The best option now (and apparently for a while) would be a premium VPN which does multi hop connections, a free web proxy and a security/privacy focused browser like Brave, it lets you block scripts and has fingerprint protection by default. Click on the red lion icon in the URL bar to check your settings. Its far from trustworthy and the premium payment method will create a strong link but its better than anything Tor will be putting out for many months to come. Safest wishes for 2021 all

December 23, 2020

In reply to gk

Permalink

Thank you for your reply gk. I hope alpha versions would start to see the changes sooner. Happy holidays!

The same on linux , both 32 and 64 bit
Log complains about not setting the ClientTransportPlugin line before specifying the bridges' addresses , so I had to remove bridges lines form torrc , set UserBridge to 0 and remove the bridge preference set by torlauncher in pref.js to make torborwser connect directly to the tor network and make it works again

December 21, 2020

Permalink

torbrowser - defunct 10.5a6 / win 10 pro 19042.685 german / 32 and 64 / portable / update or fresh portable install

Hi there,

Didn't find any related bug(s) filed at
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues

Description

Starting after updating a portable version (both 32 and 64) from 10.5a4 to 10.5a6 on windows 10 doesn't work.
Relevant parts from update.log:
...
ensure_remove: failed to remove file: C:\Port\TBrowser\Browser/updater.exe.moz-backup, rv: -1, err: 13
backup_discard: unable to remove: updater.exe.moz-backup
...
ensure_remove: failed to remove file: C:\Port\TBrowser\Browser/softokn3.dll.moz-backup, rv: -1, err: 13
backup_discard: unable to remove: softokn3.dll.moz-backup
...
ensure_remove: failed to remove file: C:\Port\TBrowser\Browser/nss3.dll.moz-backup, rv: -1, err: 13
backup_discard: unable to remove: nss3.dll.moz-backup
...
ensure_remove: failed to remove file: C:\Port\TBrowser\Browser/mozglue.dll.moz-backup, rv: -1, err: 13
backup_discard: unable to remove: mozglue.dll.moz-backup
...
ensure_remove: failed to remove file: C:\Port\TBrowser\Browser/freebl3.dll.moz-backup, rv: -1, err: 13
backup_discard: unable to remove: freebl3.dll.moz-backup
...
calling QuitProgressUI
NS_main: unable to remove directory: tobedeleted, err: 41

Removing directory tobedeleted manually doesn't solve the issue.

Relevant parts from tor-connect log:
12/19/20, 14:31:18.380 [WARN] Bridge line with transport obfs4 is missing a ClientTransportPlugin line
12/19/20, 14:31:18.380 [ERR] set_options(): Bug: Acting on config options left us in a broken state. Dying. (on Tor 0.4.5.2-alpha 135b8eea36edd992)

Also fresh portable installs of 32 and 64 don't remedy the issue.

Regards

December 22, 2020

Permalink

Hello!

Please make a torrent download solution for the Tor Browser.

Thank's!

It's not recommended to torrent over Tor as it adds unnecessary strain on the network, though I hope this changes in the future, as torrents offer valuable information irrespective of mainstream junk. You can use Torify to run some applications over Tor, though most torrent clients don't appear to support this.

If possible, use OnionShare instead. The networking protocols of BitTorrent leak information that can identify you, and the protocols were not designed by Tor Project, and the Tor network can't handle the load of normal BitTorrent activity. Read the section "Don't torrent over Tor". Then, read "How can I share files anonymously through Tor?". Then, read the paragraph starting with "The default exit policy allows".

December 22, 2020

Permalink

Is it possible to remove "Paste & Go" from the right-click context menu in the address bar? I don't see any benefit for it, and it's dangerous. "Paste" is there separately, and that should be all anyone needs.

You should be able to do this manually by entering:

#paste-and-go { display: none !important; }

into: tor-browser_en-US/Browser/profile.default/chrome/userChrome.css

Would be good to have an option to only allow matches of HTTPS / onion URLs in the address bar.

December 22, 2020

Permalink

OS:Debian Gnu/Linux 10.7
Kernel: 5.9.6-1~bpo10+1 (2020-11-19) x86_64 GNU/Linux
Tor:10.5a6
The Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start.
Tor unexpectedly exited. This might be due to a bug in Tor itself, another program on your system,or faulty hardware. Until you restart Tor, the Tor Browser will not able to reach any wersites.if the problem persists, please send a copy of your Tor Log to the support team.
Restarting Tor will not close your browser tabs.

December 23, 2020

In reply to gk

Permalink

Dec 23 10:44:29.817 [notice] Tor 0.4.5.2-alpha (git-135b8eea36edd992) running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1i, Zlib 1.2.11, Liblzma N/A, Libzstd N/A and Glibc 2.28 as libc.
Dec 23 10:44:29.817 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://decvnxytmk.oedi.net/download/download#warning
Dec 23 10:44:29.817 [notice] This version is not a stable Tor release. Expect more bugs than usual.
Dec 23 10:44:29.817 [notice] Read configuration file "/home/birdofprey/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults".
Dec 23 10:44:29.817 [notice] Read configuration file "/home/birdofprey/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc".
Dec 23 10:44:29.819 [notice] Opening Control listener on 127.0.0.1:9151
Dec 23 10:44:29.819 [notice] Opened Control listener connection (ready) on 127.0.0.1:9151
Dec 23 10:44:29.819 [notice] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
Dec 23 10:44:29.000 [warn] Bridge line with transport snowflake is missing a ClientTransportPlugin line
Dec 23 10:44:29.000 [err] set_options(): Bug: Acting on config options left us in a broken state. Dying. (on Tor 0.4.5.2-alpha 135b8eea36edd992)
Dec 23 10:44:29.000 [err] Reading config failed--see warnings above.

December 27, 2020

In reply to gk

Permalink

The relevant logs :

  1. Dec 27 17:28:43.000 [warn] Bridge line with transport obfs4 is missing a ClientTransportPlugin line<br />
  2. Dec 27 17:28:43.000 [err] set_options(): Bug: Acting on config options left us in a broken state. Dying. (on Tor 0.4.5.2-alpha 135b8eea36edd992)<br />
  3. Dec 27 17:28:43.000 [warn] Controller gave us config lines that didn't validate: (null)<br />

This is a debian sid 64 bits. Tor browser is installed in the $HOME directory and it is the default version given on tp website

December 23, 2020

Permalink

In the last fev days all the first connects for the tor network across any obsf4 bridge failed for first only the second attempt was succeeded.
I tested the connection and maybe some ipv6 leaks is maybe. After I tried to search obsf4 bridges with ipv6 support but this link doesn't work (https://bridges.torproject.org/options) I got red alert everytime.

In same time I have experienced some other interesting things by these I have an idea and I have a question:

What do you think or what do you know is possible all network traffic (Tor) of a user take into a virtual sandbox or into some other similar environment? And is the attacker able to check and manipulate the packets and to hijack the traffic in this "virtual box" before these arrive for the user? The list of my experiences are too long to write these down sorry.
Some website arrive for me with missing elements (scripts), these elements are importants and this is not accident it's hundred percent sure.
I will make more tests, if somebody has ideas please share with me. Thank's.

December 23, 2020

Permalink

Is the signing key expired?

$ gpg --verify '/home/user/Desktop/tor-browser-linux64-10.0.7_en-US.tar.xz.asc'
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: assuming signed data in '/home/user/Desktop/tor-browser-linux64-10.0.7_en-US.tar.xz'
gpg: Signature made Sun 13 Dec 2020 07:07:39 AM UTC
gpg: using RSA key EB774491D9FF06E2
gpg: Can't check signature: No public key

$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-key EB774491D9FF06E2
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
gpg: Total number processed: 1
gpg: imported: 1

$ gpg --verify '/home/user/Desktop/tor-browser-linux64-10.0.7_en-US.tar.xz.asc'
gpg: assuming signed data in '/home/user/Desktop/tor-browser-linux64-10.0.7_en-US.tar.xz'
gpg: Signature made Sun 13 Dec 2020 07:07:39 AM UTC
gpg: using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2

$ gpg -kv
gpg: using pgp trust model
gpg: Note: signature key 2E1AC68ED40814E0 expired Fri 25 Aug 2017 11:26:30 AM UTC
gpg: Note: signature key 7017ADCEF65C2036 expired Fri 25 Aug 2017 11:23:23 AM UTC
gpg: Note: signature key D1483FA6C3C07136 expired Fri 24 Aug 2018 11:26:24 AM UTC
gpg: Note: signature key EB774491D9FF06E2 expired Sat 19 Dec 2020 02:52:33 AM UTC
/home/user/.gnupg/pubring.kbx
-----------------------------
pub rsa4096 2014-12-15 [C] [expires: 2025-07-21]
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key)
sub rsa4096 2014-12-15 [S] [expired: 2017-08-25]
sub rsa4096 2014-12-15 [S] [expired: 2017-08-25]
sub rsa4096 2016-08-24 [S] [expired: 2018-08-24]
sub rsa4096 2018-05-26 [S] [expired: 2020-12-19]
sub rsa4096 2014-12-15 [] [revoked: 2015-08-26]

December 25, 2020

Permalink

Red line through the lock next to https: for the website ipcheck.info and anonymouse.org
This browser is not secure. If I use firefox or chrome, there is no redline through the lock.

December 26, 2020

Permalink

I'm on Android 10 on a moto g⁷ power (XT1955-7)

Tor updated yesterday via PlayStore and now can't even open at all.

Tor: Version 10.0.7 (84.1.0-Release)

December 27, 2020

Permalink

Suggestion: Update

In the settings page I did not see alternative:
-- I'll check manually for updates.

I'd like to have this alternative because
-- I don't want my browser to make a trail of connection each time I start it.

There are always someone (with big resources) interested to gather such data.

January 01, 2021

Permalink

sometimes i see this on clearnet sites:

Onionsite Has Disconnected

The most likely cause is that the onionsite is offline. Contact the onionsite administrator.

Details: 0xF2 — Introduction failed, which means that the descriptor was found but the service is no longer connected to the introduction point. It is likely that the service has changed its descriptor or that it is not running.

-- Why would this be displayed on a clearnet (non-onion) domain? Odd.

January 03, 2021

Permalink

[01-04 06:31:37] Torbutton NOTE: Exception on control port [Exception... "Component returned failure code: 0x804b000e (NS_ERROR_NET_TIMEOUT) [nsIBinaryInputStream.readBytes]" nsresult: "0x804b000e (NS_ERROR_NET_TIMEOUT)" location: "JS frame :: chrome://torbutton/content/torbutton.js :: torbutton_socket_readline :: line 467" data: no]
Even on a fast machine.