New Release: Tor Browser 10.0.15

Update: 9 April 2021: Android Tor Browser 10.0.15 is now available.

Tor Browser 10.0.15 is now available from the Tor Browser download page and also from our distribution directory.

This version updates Openssl to 1.1.1k. In addition, Tor Browser 10.0.15 includes a bugfix for when Javascript is disabled on websites.

Relay operators who use the Windows Expert Bundle are strongly encouraged to upgrade their relay.

Note: Tor Browser will stop supporting version 2 onion services in June (two months from now). Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.

The full changelog since Desktop Tor Browser 10.0.14 and Android Tor Browser 10.0.12 is:

  • Windows + OS X + Linux + Android
    • Update Openssl to 1.1.1k
    • Bug 40030: Add 'noscript' capability to NoScript
  • Android
    • Update Fenix to 87.0.0
    • Update NoScript to 11.2.4
    • Update Tor to 0.4.5.7
    • Translations update
    • Bug 40045: Add External App Prompt for Sharing Images
    • Bug 40047: Rebase android-components patches for Fenix 87.0.0
    • Bug 40151: Remove survey banner on TBA-stable
    • Bug 40153: Rebase Fenix patches to Fenix 87.0.0
    • Bug 40365: Rebase 10.5 patches on 87.0
    • Bug 40383: Disable dom.enable_event_timing
  • Build System
    • Android
      • Bug 40162: Build Fenix instrumented tests apk
      • Bug 40172: Move Gradle compilers out of android-toolchain to own gradle project
      • Bug 40241: Update components for mozilla87-based Fenix

Working again for me too! Thank you thank you Tor people!

I do not really search much but when I do I am doing research and it is important to be able to click on search page links with the highest security level, because when researching obscure topics you are often directed to other than well-known sites. For that matter, even major media sites have been found at times to be unwittingly serving malware.

Request: when Tor Project gets the "anonymously report an issue" tool ready, PLEASE explain how to use it in a post in this blog. Please note that requiring users to have an email account, chat account, etc. will exclude some users. OTH, Tails Project uses whisperback which is not perfect but does not require anything not already provided in a standard Tails. In the same way, any "secret" tokens or whatever should be provided with the latest TBB tar ball. It would be useful to be able to report both observations about strange behavior of the Tor network as well as documenting bugs. Alternatively, it would be fabulous if TP followed the Riseup example and had a Tor network health barometer on the home page, so that users can be alerted (and know they should be patient) if TP thinks the network is currently under attack.

> major media sites have been found at times to be unwittingly serving malware.

My virus scanner once encountered state-sponsored malware on the website of a major media corporation based in that same nation-state. Makes you wonder about the ties between money, politics, law, rights, and class.

> when Tor Project gets the "anonymously report an issue" tool ready, PLEASE explain how to use it in a post in this blog.

They did on February 09, 2021: https://blog.torproject.org/anonymous-gitlab

> Tails Project uses whisperback
> any "secret" tokens or whatever should be provided with the latest TBB tar ball.
> if TP followed the Riseup example and had a Tor network health barometer on the home page, so that users can be alerted (and know they should be patient) if TP thinks the network is currently under attack.

Good ideas. I hope Tor Project looks into them. You can get their attention anonymously by reporting an issue. I don't see a barometer on RiseUp's home page, but here is Tor Project's Status portal: https://status.torproject.org/
And here is the Metrics portal: https://metrics.torproject.org/
Also recently relevant: https://blog.torproject.org/contribute-to-tor-metrics-timeline

Anonymous

March 29, 2021

Permalink

Is there any chance it would be possible to ask you to keep a live link to previous versions at least for a few days after a new release, in order to allow package management solutions (e.g. chocolatey) some time to update the tor package? currently every time you release a new version, it breaks the package which still points to the older version download link (right now it's 10.0.12 for example).
No need to reply, just food for thought.
Thanks in advance.

> keep a live link to previous versions at least for a few days after a new release, in order to allow package management solutions (e.g. chocolatey) some time to update the tor package?

The previous versions are on live links. Copy the URL from the download page, and go up a few directories:
https://www.torproject.org/dist/torbrowser/

Or, better than that, this file -- whose name never changes -- can be parsed:
https://www.torproject.org/dist/torbrowser/update_2/release/downloads.j…
It redirects to aus1.*

Tell chocolatey's maintainers.

Anonymous

March 30, 2021

Permalink

Was there yet another java "leak"? I read about it on the Google Play feedback section for the Android app but assumed it only affected the Android version due to how crap it is and how little care Tor Devs have for it. I'm sure plenty of hidden services exploited their lack of user protection.

Just open Tor Browser's page in Google Play, click on "Read All Reviews," and do Ctrl+F for "java".

Why does Tor Project neglect looking there for bug reports? You need to go and write in your app's description on its page (Play, GuardianProject) to tell people to bring their bug reports to reporting channels that are monitored!

  • 2021-02-21: can't open "about:config" in the address bar to turn off Javascript
  • 2021-02-22: unable to deactivate java script
  • 2021-03-02: WHY IS [NoScript] the only addon that needs to be reset to default to block java??
  • 2021-03-02: I'm told that Javascript is running and I need to disable it before I can proceed.
  • 2021-03-06: on safest and it still talks of JavaScript
  • 2021-03-12: One day it works on sights where java script needs disabling the next day it doesn't , I wrote "about:config" in the address bar and once it took me to some settings where I could toggle jscript from true to false and then it worked ,but again it doesn't with no way of accessing the settings
  • 2021-03-14: Current build of the official TOR browser gives Javascript errors, states Java is running even in high security mode and "about config" is totally unresponsive. Many sites left inaccessible by this error.
  • 2021-03-30: it says javascript needs to be disabled but the about:config method I originally used to disable javascript no longer works
  • 2021-03-31: .onion page and they tell you to turn off Java

They could be because of Bug 40030: Add 'noscript' capability to NoScript. But many of them are dangerously customizing about:config. A proper notice from developers could have mitigated their action.

No, all of those comments are due to misunderstanding how the Safest security level works. This has no relationship to Java. Tor Browser does not disable Javascript via the internal Firefox preference. It uses NoScript to disable javascript for each page.

Anonymous

March 30, 2021

Permalink

When i enter about:networking#networkid in the url there is a value called network id. what is this value and how is it used?

Anonymous

April 11, 2021

Permalink

I's no longer possible to connect to version 2 onion services with Tor Browser 10.5a13. Wasn't the deadline supposed to be June 2021?

Correct, as noted above:

Note: Tor Browser will stop supporting version 2 onion services in June (two months from now). Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.

https://blog.torproject.org/v2-deprecation-timeline

Tor Browser Alpha contains an alpha version of tor version 0.4.6 where v2 onion support is already removed.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

4 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.