New Release: Tor Browser 10.0.5

by sysrqb | November 27, 2020

Updated on 27 November 2020: Android Tor Browser 10.0.5 is now available. (Originally published on 17 November)

Tor Browser 10.0.5 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox on desktops to 78.5.0esr, Fenix on Android to 83.1.0 and updates Tor to 0.4.4.6. This release includes important security updates to Desktop Firefox, and important security updates to Android Firefox.

Note: Android Tor Browser 10.0.5 is delayed until next week. In the future, new Tor Browser versions for Android and Desktop should be published at the same time.

The full changelog since Tor Browser 10.0.4 (Desktop) is:

  • Windows + OS X + Linux
    • Update Firefox to 78.5.0esr
    • Update Tor to 0.4.4.6
    • Bug 40212: Add new default obfs4 bridge

The full changelog since Tor Browser 10.0.4 (Android) is:

  • Android
    • Update Fenix to 83.1.0
    • Update Tor to 0.4.4.6
    • Bug 40212: Add new default obfs4 bridge
  • Build System
    • Android
      • Bug 40126: Update toolchains for Fenix 83
      • Bug 40126: Bump Node to 10.22.1 for mozilla83
      • Bug 40127: Update GeckoView to 83, android-components to 63.0.1, and Fenix to 83.0.0b2
      • Bug 40160: Update Fenix to 83.1.0, and android-components to 63.0.9
      • Bug 40211: Lower required build-tools version to 29.0.2

Comments

Please note that the comment area below has been archived.

November 17, 2020

Permalink

To Tor,

TURN OFF all my updates, a bloody never ending constant stream of updates, more updates. Bugger off, I have loooked at the Tor settings and aparrently there is no turn off button, Mmm why am I not that surprised.

John.

Are you on Android? Because desktop is based on Firefox ESR and doesn't update more than about twice a month. If your comment is a taste of things to come for desktop, we'll be hearing more complaints like yours after desktop eventually migrates to Firefox's standard releases. Everyone better get used to saving their tab sessions as bookmarks.

November 17, 2020

Permalink

Thank you, Tor Project. After update, the browser opened to a purple tab, "Tor Browser has been updated," and the tab flap says "About Tor". Is it supposed to be purple? I was expecting the black layout that asks for donations.

I sure hope that when Desktop and Android are published at the same time that Desktop will still be able to access about:config.

Yes, the "Tor Browser has been updated" page is now remaining purple, even if the background on about:tor is black (or another color). Some users became concerned on a previous update when the "updated" page unexpectedly was black. We hope this change will provide continuity across versions. You can see the details at https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/40021

Regarding about:config, there aren't any plans for removing access on desktop.

November 28, 2020

In reply to sysrqb

Permalink

Why has about:config been blocked on the android version? And why is there no longer any option to change the home page to blank on android? Not everyone is into the anarcho-grunge purple esthetic appearing on their phone every time they open their browser...lol

> why is there no longer any option to change the home page to blank on android?

I'm surprised there isn't. Big Tor logos can be a liability in the presence of authorities hostile to privacy.

December 07, 2020

In reply to sysrqb

Permalink

Out of curiosity, is Android Tor Browser or Android Firefox or Fenix able to access about:config at this address? chrome://global/content/config.xhtml Desktop Firefox and Tor Browser has a new interface for about:config since some months ago, but its old interface is accessible at that address. I bookmarked the old interface because the new interface doesn't have the feature to sort columns.

November 17, 2020

Permalink

What means this entry:
firefox.settings.services.mozilla.com 443

in about:networking#http ?

November 29, 2020

In reply to sysrqb

Permalink

Can I disable Firefox Remote Services manually in about:config until issue 40038 is closed? Would this be safe?

Issue 40038 is closed and implemented. Remote Services will not be completely disabled because Firefox (and Tor Browser) rely on downloading some updated information from Mozilla. We do not recommend you completely disable Remote Settings.

November 18, 2020

Permalink

Nice.

November 18, 2020

Permalink

[11-18 09:51:46] Torbutton WARN: Version check failed! JSON parsing error: SyntaxError: JSON.parse: expected ',' or ']' after array element at line 19 column 1 of the JSON data

November 18, 2020

Permalink

Hi,
why is the Android release delayed? Is there any ticket explaining the problem?
Thanks

The delay was due to insufficient testing of the Android version. We simply needed additional time for testing the new version in an Alpha version before publishing it as a stable version.

November 18, 2020

Permalink

Official name is "Firefox for Enterprise", not "Firefox for Desktop", so this is "Tor Browser for Enterprise".

The purpose of notating a version as "Desktop" or "Android" is only distinguishing between the two general platforms. The goal is not distinguishing between the Extended Support Release ("for Enterprise") and Rapid Release ("Release"), therefore we describe these are Android Tor Browser and Desktop Tor Browser.

November 18, 2020

Permalink

What's with disabling the "picture-in-picture" feature for videos? It has to be reenabled via about:config. It can't be a security risk, surely?

December 04, 2020

In reply to sysrqb

Permalink

Thank you thank you! I believe I have seen this used in the wild against Tails users. I presume the version of Tor Browser in current Tails inherits the block?

November 18, 2020

Permalink

There is still the bug of DDG searches made in the address bar disappearing when hitting the back navigation button after visiting another website. Really annoying (I don't use the normal search bar, just the address bar for searches, like many people). Will this ever be fixed, or is it a firefox/mozilla bug/feature?

November 29, 2020

In reply to sysrqb

Permalink

DDG still discloses the search query by showing it in the URL (submits the form via the GET method) on the TorBrowser's Safest security level (DDG's scripts are not allowed in NoScript). The workaround is to always search in the weaker TB security mode :(, or manually add DDG to the NoScript's Trusted sites before each search(!).
Consider adding DDG to the Trusted Sites list of NoScript.

No, that is not the case. The search query is shown in the url bar when using the Safest security level because DDG redirect the query from duckduckgo.com to html.duckduckgo.com, and that redirect changes the request from a POST to a GET. Subsequent queries on html.duckduckgo.com use POST. However, aside from potential shoulder-surfing, I don't see much benefit to using POST requests, especially given the usability problem it introduces as described by the OP.

I think its behavior now is fine. It was worse before letterboxing because those bars, which are sized by whichever windowing theme you happen to be using, gave your page area's dimensions a high-entropy fingerprint. Is your issue that the page area isn't centered vertically in the letterbox? That would be relatively easy to patch. Is your issue that you want the page area to fill the vertical space and adhere to letterbox increments? Then, the vertical size of the entire window would have to snap-decrease rather than the letterboxing in one tab.

Those bars don't really need to be used. The Menu Bar's features are in the 3-lines hamburger menu on the right-hand side, and the Bookmarks Toolbar is candy for shoulder surfers and makes your browser fingerprint stand out across every tab and every New Identity session. Instead, you could Customize the main toolbar and drag the button for the Bookmarks Menu onto the main toolbar, or you could open the Bookmarks Sidebar when you need it.

As far as I know, Tor Browser always has been able to play youtube videos in standard security mode. Changes were needed only in the higher security modes: safer and safest.

November 19, 2020

Permalink

Thank you very much for your hard work. This time, I experienced something a bit strange, though perhaps accidental and unimportant.
1) While using 10.0.4, I saw the "A new Tor Browser update is available" balloon popped up.
2) I clicked "See what’s new" and came to this page.
3) I didn't click "Download Update" nor "Not Now" but was doing something else.
4) After a while I noticed that the only blue "Download Update" rectangle remain on the Browser's main window, the said balloon not having disappeared entirely nor remaining (redrawn) properly, but only the blue part remained.
5) I thought I'd update later, after backing up 10.0.4 just in case, so I ignore this blue "button", which eventually disappeared... or so I thought.
6) After a while I restarted TorBrowser 10.0.4, then updating started (perhaps I accidentally clicked "Download Update" in 5, though I didn't think so...). So from my point of view, this was a force-update to 10.0.5, without asking. So far I can't reproduce this behavior, though...

The above is essentially harmless, just that 10.0.4 was updated to 10.0.5, which I was going to do anyway. However, at least the "update is available" balloon is (was) not redrawn properly in some situation, when you don't close it explicitly by clicking "Not Now" and keep it floating for a while. That's what I think I experienced anyway. Just something cosmetic, I guess.

Drawing (showing) the blue "Download Update" part floating on the page is trivially easy via CSS, so if this is allwed and accepted by the end user, potentially a malicious web site can show the same blue "button" that looks like a button to update Tor Browser and let the user download something else. In reality, probably no one is tricked by that, though... Thanks again.

Yes, all updates are downloaded automatically and the update process is completed on the next start of the browser, only if the download completed successfully before you quit the browser during the previous session.

November 21, 2020

Permalink

Since updating on 17th many things do not work now. My bookmarks have disappeared. I am not able to get new bookmarks to add to the library either. How can I recover my book marks and adding facility?

November 28, 2020

Permalink

what is gitlab approval time? problematic email domain is excluded? I wait some days

I make this comment in blog post "From Trac into Gitlab for Tor" but it's not approved.

November 28, 2020

Permalink

it is impossible to download 10.0.5 for android from this site by using the previous android version of Tor browser.

November 29, 2020

Permalink

in about:config
set extensions.torbutton.resize_new_windows to false,
but after restart torbrowser this setting again TRUE
this happens every time, every time you start torbrowser.
why is it so? maybe bug?

December 01, 2020

Permalink

Gah. Your tab just crashed.
We can help!

Choose Restore This Tab to reload the page.

MacBook Pro 2020 M1 please fix

December 02, 2020

Permalink

I am on Android. For some reason the auto updates enabled it self or idk maybe I had them enabled and tor updated to 10.0.5. The interface is ok. But when I went to bookmarks they were all changed. Before, they were in chronological order, so that the first I saved were at the top and the newer ones at the bottom. But it seems like, when it was importing them, it did not follow any order, because now the bookmarks are randomized. Some that were at the top are now at the bottom and vice versa. They are not even in alphabetical order. I cannot find anythjng because of this. I also cannot fix it because in Android I cannot change the bookmark's place (In PC I can just drag and drop it to a new location, but holding them on android just "selects" them and the only option is delete). Maybe you should add an option to change bookmarks' place/location so I (and other people who might have had the same problem) can fix it. Maybe some kind of slider/button at one side that you can hold then drag to move the location.

December 02, 2020

Permalink

Hi, Tor Browser Guys,

I just wanted to tell you that I needed to downgrade Tor Browser to a pre-10.0 version because on my Android (8.0) smartphone it still is not possible to do about:config!!

For me, since about Tor Browser version 10, there are three fatal errors, every single one of them knocking out my acceptance to this app:

  1. about:config is no more possible. Writing this into the address line does not lead to the configuration.
    You got an extensive email about this by me.
    You did not resolve this error.
  2. The user does not have any choice about the cookie behaviour of the browser.
  3. The import button of the noscript add-on does not work at all!
    (Test: Do some noscript configuration with site-specific settings. Export it to a file. Do completely different settings. Import the saved setting. Nothing is changed.)

Starting with about 10.0.2 this is the worst Tor Browser.
Sorry to tell.

Hello,

For (1), Mozilla is tracking that in https://github.com/mozilla-mobile/fenix/issues/7865
For (2), correct, adjusting the cookie settings was not recommend in the previous version and it is not recommended on desktop. Our only goal was providing the same supported functionality from Tor Browser 9.5.4 and Tor Browser 10.0.3. Tor Browser does not accept third-party cookies, but it saves first-party cookies within a session. Currently there is not a way to disable first-party cookies, however they are deleted when you quit the app.
For (3), thanks for reporting this. We will investigate this. https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/402…

About your number 3, in case you didn't know, NoScript permissions are reset every time you change the security level. If you import permissions and then change your security level, the permissions will be deleted anyway unless you select "Override Tor Browser's Security Level preset" in NoScript's options. Be cautious about that option because customized permissions can be observed making uniquely identifiable connection patterns and can therefore de-anonymize your activity.

https://2019.www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled
https://support.torproject.org/tbb/tbb-14/

December 04, 2020

Permalink

Firstly, thank you for Tor Browser! You developer guys are doing a wonderful job.

Re: your reply to a commenter above - "Yes, all updates are downloaded automatically and the update process is completed on the next start of the browser, only if the download completed successfully before you quit the browser during the previous session.|" (my emphasis) - so, a suggestion - perhaps when a user clicks on the 'close' button to terminate Tor Browser, but there is in fact an update downloading in the background at that moment, you could implement a pop-up message informing the user that Tor Browser is in the process of updating, and saying something like "an update is downloading right now. Are you sure you want to close Tor Browser, or would you rather wait until the update download is complete?".

Tor Browser weighs in at around 90MB, which may seem like nothing to those with unlimited bandwidth, but is a significant amount of data to those with limited (and costly) monthly data allowances.

Keep up the good work. The world needs you. ... (Just one thing, though; is there no way to detect and do something about these "exit nodes operated by bad guys" one reads about?

The update process came with the source code from Firefox. It's developed by Mozilla. Tor Project basically modifies the links and the files for Tor Browser's updates instead. You should write that suggestion on Mozilla's bug tracker.

There are ways to detect malicious exit nodes and ways to report them.[1][2] Over the years, many malicious or outdated relays have been discovered and ostracized.[3][4][5][6][7][8]

December 05, 2020

Permalink

I just started using the Android version after buying my first smartphone. Despite the UI regressions in Fenix, you've still overcome and made a solid product. I really appreciate the work y'all do.

December 08, 2020

Permalink

I don't know whether this will be answered, let alone seen (since The Tor Blog often stops at a certain point from approving comment submissions), but here goes:

Why are these links seen as not secure, and when I click on the padlock icon with a red slash through the padlock, there is no information about Tor nodes? Links which begin like these:

data:image/png;base64

Boggles my mind.

December 08, 2020

Permalink

From closed "New Release: Tor Browser 10.5a4"
https://blog.torproject.org/comment/290611#comment-290611
">Don't mix foreign webstorage with browser configs!
That was a decision made for Firefox, please contact them."

Great)-:.
From my own experience it's bound to fail -sorry.
You have more influence to convice Mozilla to do not
so obvious illogical things. Wrong doing against browser/Firefox/Torbrowser security.
So much discussions about convenience but for such a thing -mix foreign data with browser config!- there's only silence. Ehm.... .

If Mozilla want's to be trusted, it's Mozillas job to explain why it's a good idea to mix
foreign webstorage with browser configs. Logically explaining.

December 09, 2020

Permalink

Hi, there is a new version of openssl out, fixing a security issue. For next Tor release I think better update.