New Release: Tor Browser 10

Update 1700 UTC 2020-09-24: After investigating the error seen by Windows users while playing videos on Youtube, a user helped us identify the cause. Until this is fixed in an upcoming release, a workaround is setting media.rdd-opus.enabled as false in about:config.

The new shiny Tor Browser 10 for Desktop is now available from the Tor Browser download page and also from our distribution directory!

Android Tor Browser 10 is under active development and we are supporting the current 9.5 series for Android until the new one is ready. We are informed by Mozilla of any issues they learn about affecting the 9.5 series. We expect to release the new Tor Browser for Android based on Fenix in the following weeks.

Tor Browser 10 ships with Firefox 78.3.0esr, updates NoScript to 11.0.44, and Tor to 0.4.4.5. This release includes important security updates to Firefox.

This new Tor Browser release is focused on stablizing Tor Browser based on a new extended support release of Mozilla Firefox. Tor Browser 10.0 is the first stable release of the 10.0 series based on Firefox 78esr.

Note: Tor Browser 10.0 is the final Tor Browser series supporting CentOS 6. Beginning with the 10.5 series, CentOS 6 is not supported.

Note: In this release JavaScript is controlled by NoScript again. JavaScript was completely disabled on the Safest security level beginning in Tor Browser 9.0.7. The Firefox preference javascript.enabled is reset to true in this release. You must re-set it as false if that is your preference.

Give Feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know. Thanks to all of the teams across Tor, and the many volunteers, who contributed to this release.

Full Changelog

The full changelog since Tor Browser 9.5.4 is:

  • Windows + OS X + Linux
    • Update Firefox to 78.3.0esr
    • Update Tor to 0.4.4.5
    • Update Tor Launcher to 0.2.25
      • Bug 32174: Replace XUL <textbox> with <html:input></html:input></textbox>
      • Bug 33890: Rename XUL files to XHTML
      • Bug 33862: Fix usages of createTransport API
      • Bug 33906: Fix Tor-Launcher issues for Firefox 75
      • Bug 33998: Use CSS grid instead of XUL grid
      • Bug 34164: Tor Launcher deadlocks during startup (Firefox 77)
      • Bug 34206: Tor Launcher button labels are missing (Firefox 76)
      • Bug 40002: After rebasing to 80.0b2 moat is broken
      • Translations update
    • Update NoScript to 11.0.44
      • Bug 40093: Youtube videos on safer produce an error
    • Translations update
    • Bug 10394: Let Tor Browser update HTTPS Everywhere
    • Bug 11154: Disable TLS 1.0 (and 1.1) by default
    • Bug 16931: Sanitize the add-on blocklist update URL
    • Bug 17374: Disable 1024-DH Encryption by default
    • Bug 21601: Remove unused media.webaudio.enabled pref
    • Bug 30682: Disable Intermediate CA Preloading
    • Bug 30812: Exempt about: pages from Resist Fingerprinting
    • Bug 31918+33533+40024+40037: Rebase Tor Browser esr68 patches for ESR 78
    • Bug 32612: Update MAR_CHANNEL_ID for the alpha
    • Bug 32886: Separate treatment of @media interaction features for desktop and android
    • Bug 33534: Review FF release notes from FF69 to latest (FF78)
    • Bug 33697: Use old search config based on list.json
    • Bug 33721: PDF Viewer is not working in the safest security level
    • Bug 33734: Set MOZ_NORMANDY to False
    • Bug 33737: Fix aboutDialog.js error for Firefox nightlies
    • Bug 33848: Disable Enhanced Tracking Protection
    • Bug 33851: Patch out Parental Controls detection and logging
    • Bug 33852: Clean up about:logins to not mention Sync
    • Bug 33856: Set browser.privatebrowsing.forceMediaMemoryCache to True
    • Bug 33862: Fix usages of createTransport API
    • Bug 33867: Disable password manager and password generation
    • Bug 33890: Rename XUL files to XHTML
    • Bug 33892: Add brandProductName to brand.dtd and brand.properties
    • Bug 33962: Uplift patch for bug 5741 (dns leak protection)
    • Bug 34125: API change in protocolProxyService.registerChannelFilter
    • Bug 40001: Generate tor-browser-brand.ftl when importing translations
    • Bug 40002: Remove about:pioneer
    • Bug 40002: Fix generateNSGetFactory being moved to ComponentUtils
    • Bug 40003: Adapt code for L10nRegistry API changes
    • Bug 40005: Initialize the identity UI before setting up the circuit display
    • Bug 40006: Fix new identity for 81
    • Bug 40007: Move SecurityPrefs initialization to the StartupObserver component
    • Bug 40008: Style fixes for 78
    • Bug 40017: Audit Firefox 68-78 diff for proxy issues
    • Bug 40022: Update new icons in Tor Browser branding
    • Bug 40025: Revert add-on permissions due to Mozilla's 1560059
    • Bug 40036: Remove product version/update channel from #13379 patch
    • Bug 40038: Review RemoteSettings for ESR 78
    • Bug 40048: Disable various ESR78 features via prefs
    • Bug 40059: Verify our external helper patch is still working
    • Bug 40066: Update existing prefs for ESR 78
    • Bug 40066: Remove default bridge 37.218.240.34
    • Bug 40073: Disable remote Public Suffix List fetching
    • Bug 40073: Repack omni.ja to include builtin HTTPS Everywhere
    • Bug 40078: Backport patches for bug 1651680 for now
    • Bug 40082: Let JavaScript on safest setting handled by NoScript again
    • Bug 40088: Moat "Submit" button does not work
    • Bug 40090: Disable v3 add-on blocklist for now
    • Bug 40091: Load HTTPS Everywhere as a builtin addon
    • Bug 40102: Fix UI bugs in Tor Browser 10.0 alpha
    • Bug 40106: Cannot install addons in full screen mode
    • Bug 40109: Playing video breaks after reloading pages
    • Bug 40119: Enable v3 extension blocklisting again
  • Windows
    • Bug 33855: Don't use site's icon as window icon in Windows in private mode
    • Bug 40061: Omit the Windows default browser agent from the build
  • OS X
    • Bug 32252: Tor Browser does not display correctly in VMWare Fusion on macOS (mojave)
  • Build System
    • Windows + OS X + Linux
      • Bump Go to 1.14.7
      • Bug 31845: Bump GCC version to 9.3.0
      • Bug 34011: Bump clang to 9.0.1
      • Bug 34014: Enable sqlite3 support in Python
      • Bug 34390: Don't copy DBM libraries anymore
      • Bug 34391: Remove unused --enable-signmar option
      • Bug 40004: Adapt Rust project for Firefox 78 ESR
      • Bug 40005: Adapt Node project for Firefox 78 ESR
      • Bug 40006: Adapt cbindgen for Firefox 78 ESR
      • Bug 40037: Move projects over to clang-source
      • Bug 40026: Fix full .mar creation for esr78
      • Bug 40027: Fix incremental .mar creation for esr78
      • Bug 40028: Do not reference unset env variables
      • Bug 40031: Add licenses for kcp-go and smux.
      • Bug 40045: Fix complete .mar file creation for dmg2mar
      • Bug 40065: Bump debootstrap-image ubuntu_version to 20.04.1
      • Bug 40087: Deterministically add HTTPS Everywhere into omni.ja
    • Windows
      • Bug 34230: Update Windows toolchain for Firefox 78 ESR
      • Bug 40015: Use only 64bit fxc2
      • Bug 40017: Enable stripping again on Windows
      • Bug 40052: Bump NSIS to 3.06.1
      • Bug 40061: Omit the Windows default browser agent from the build
      • Bug 40071: Be explicit about no SEH with mingw-w64 on 32bit systems
      • Bug 40077: Don't pass --no-insert-timestamp when building Firefox
      • Bug 40090: NSIS 3.06.1 based builds are not reproducible anymore
    • OS X
      • Bug 34229: Update macOS toolchain for Firefox 78 ESR
      • Bug 40003: Update cctools version for Firefox 78 ESR
      • Bug 40018: Add libtapi project for cctools
      • Bug 40019: Ship our own runtime library for macOS
    • Linux
      • Bug 34359: Adapt abicheck.cc to deal with newer GCC version
      • Bug 34386: Fix up clang compilation on Linux
      • Bug 40053: Also create the langpacks tarball for non-release builds
Anonymous

September 22, 2020

Permalink

I love Tor and ten is my lucky number! Can't wait to see android get some updates too! :)

Anonymous

September 22, 2020

Permalink

Were there any changes to browser size rounding? 10.0 is opening at 999x499 for me, if maximized it's 1198x599. This is viewport size as reported by websites.

However everything is also quite zoomed-in by default, I've checked Preferences and the zoom setting claims "100%". But judging by the actual browser size in terms of native OS pixels the zoom is about 125%. The OS is not using any kind of resolution scaling or anything similar, everything is at native resolution.

This is on Linux.

I'm also wondering about this. I love the scaling, it's easier on the eyes, but I'm wondering about it maximizing and why there isn't anything in the changelog about it. Is maximizing the browser no longer a problem? Linux here too.

Does not work for torbrowser-launcher 3.2 in ubuntu. Torbrowser-launcher is steadfastly plagued with update issues. Developer not competent? Bad image for torproject team. Torbrowser-launcher from ubuntu software manager is how majority install tor browser.

If it's not maintained properly then why don't you fork it and make it an official one? There already seems to be tor developers helping to maintain it (intrigeri)
It supports AppArmor profiles on Debian/Ubuntu by default and feels a lot better than to launch a commonly used system application from an ugly folder all the time. You maintain a more legit app on Android/F-Droid at this point than desktop, you absolutely should fork this imo if you're having trouble with the current maintainer.

Anonymous

September 22, 2020

Permalink

long time bug ubuntu. noscript and httpseverywhere plugin icons do not show top right. version 9 and 10 tbb.

This applies to NoScript (and HTTPS Everywhere):

The noscript icon was removed from the location bar intentionally, as part of Tor Browser's security controls redesign:
https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-s…
boklm

[...] and there are risks that you make changes in its settings that make you stand out of Tor Browser users. Tor Browser users should not need to mess with NoScript at all. But you are of course free to add it back to your toolbar if you feel more comfortable that way.
gk

To add it back:
Click The Firefox menu button, select "Customize" (screenshot and button image from Firefox help)
Customize menu
Right-click and select "Add to toolbar", or drag them to the desired places yourself.

Those icons were hidden a long time ago. If you need them, then open "Customize..." and drag them onto the toolbar. Modifying the settings of those add-ons may make your browsing activity unique however, so it's recommended to use the security level icon instead.

To be fair NoScript needs to be there in the Safest mode. When people click it there should be a small warning to tell people that enabling Javascript on a per domain basis might be used to fingerprint you.

I only say this because at a seminar I went to virtually someone was teaching people JS tactics to use for some sites. Everyone who attended this virtual seminar will revert to using the same tactics, thus they would likely be indistinguishable from each other.

The NoScript & HTTPS-Everywhere plugin-icons were removed from the URL-bar,

To reinstate them, Click Menu, click Customize,

Then left-click and hold button down on the NoScript icon,
and then drag it to the URL-bar and drop it (release the mouse button).

...

Anonymous

September 22, 2020

Permalink

Tor 10, unlike Firefox ESR 78.3, does not have telemetry or unwanted connections to hosts such as firefox.services.settings.mozilla.org among many others. It would be great if you create a guide or a patch to remove those connections for Firefox ESR users.

If i use only TOR_TRANSPROXY=1, i have error "The proxy server is refusing connections"
If i use TOR_SKIP_LAUNCH=1 and TOR_TRANSPROXY=1 i have "Hmm. We’re having trouble finding that site." No internet access.

9 version work perfect. But after update i have this trouble.
OS Windows 10

Thanks for the information, I already had the steps of the Mozilla guide and I have not managed to eliminate all the connections. firefox.settings.services.mozilla.com continues making connections even after adding it to the host list, other connections not mentioned in the guide are made like location.services.mozilla.com, push.services.mozilla.com, among other.

The very best:*wtf*

firefox.settings.services.mozilla.com
Firefox connects to firefox.settings.services.mozilla.com. You cannot disable this. Your only recourse is to block access to this host in your "hosts" file by putting in this line:
127.0.0.1 firefox.settings.services.mozilla.com

That's right, there is no way to disable this. The only way is by adding to the host list of the operating system. In my case it has not worked and Firefox continues to do so. In Wireshark I see that 2 DNS requests are made and the corresponding responses are received. 4 IP addresses belonging to AWS are associated, these IP addresses are not always the same.

Anonymous

September 22, 2020

Permalink

Youtube now gives this error now when starting a video after the new update.

An error occurred. Please try again later.

Anonymous

September 22, 2020

Permalink

Hi,
I have been having issues with updating tor. It started with me not realizing that it needed an update. I recognize this as my fault and I tried to fix it but as I tried I feel like it just got worse and worse. At first I tried the classic uninstall and redownload method but that didn't work. First off for some reason the tor browser installer kept saying "The destination directory already exists. You can try to upgrade the Tor Browser Bundle, but if you run into any problems, use a new directory instead Continue?". Even when I clicked yes my antivirus software would say that the firefox.exe was a high level threat so at first I ignored it but even when I did I would run into the problem of the tor browser saying "Tor Browser is already running, but is not responding. The old Tor Browser process must be closed to open a new window.". Now I know that Firefox was ok but my antivirus didn't like so I am not sure what to do. I have checked every last square inch of my files even when I delete all mentions of it will continue to say "The destination directory already exists. You can try to upgrade the Tor Browser Bundle, but if you run into any problems, use a new directory instead Continue?". Now even when I say yes it pops up in the middle of the download saying that it couldn't open the files for writing. I don't know what's going on all I know is I cant get into tor because I didn't know that I myself had to prompt it to update which is what caused all of this. I need help is the message I am trying to get across.
Thank you for your time.

Try rebooting (I know, not very good advice), and you can delete the current directory and then re-install Tor Browser using the installer. However, before you try this, first please try using the built-in automatic updater (open the Help menu, then click About Tor Browser).

That is actually the correct suggestion, the user has a background Tor process running and rebooting is the quickest solve to dismiss it. After reboot, the user should NOT start Tor again but instead uninstall at that time, then reboot again, then reinstall fresh.

Anonymous

September 22, 2020

Permalink

This broke torbrowser-launcher (SO ANNOYNING! Not the first time this happens...)
Unable to use tor browser, it errors with "I'm being attacked"...

Yeah, i have the same problem. I've done a fresh install of Ubuntu 20.04.1 and try to install Tor. I'm stuck in installing window with error I'm being attacked. I left the installing run for several minutes but it didn't finish.

Anonymous

September 22, 2020

Permalink

Instead of loading some well-known .com site, Tor browser shows:

Onionsite Has Disconnected
Browser
Network
Onionsite

The most likely cause is that the onionsite is offline. Contact the onionsite administrator.

Details: 0xF2 — Introduction failed, which means that the descriptor was found but the service is no longer connected to the introduction point. It is likely that the service has changed its descriptor or that it is not running.

Anonymous

September 22, 2020

Permalink

All tabs closed. A lot of new connections to addresses like cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion
continue to have a sex with my PC (approx. 2 per second).
What the hell?

Anonymous

September 22, 2020

Permalink

When I go to DDG .onion @ https://3g2upl4pq6kufc4m.onion/

I type in my search query and hit Enter but it goes to a blank page which says, "Forbidden."

The regular clearnet DDG page works without this error.

This is new in TB10.

How to fix?