New Release: Tor Browser 10.0.16

by sysrqb | April 20, 2021

Tor Browser 10.0.16 is now available from the Tor Browser download page and also from our distribution directory.

This version updates Firefox to 78.10esr and Fenix 88.1.3 for Android devices. In addition, Tor Browser 10.0.16 updates NoScript to 11.2.4, and adds localization in Burmese. This version includes important security updates to Firefox for Desktop and security updates to Firefox for Android.

Warning:
Tor Browser will stop supporting version 2 onion services later this year. Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.

Note: New macOS Users, please report if you experience trouble with Gatekeeper when installing this Tor Browser version, and provide the error and the version of macOS you are using.

Note: The Android Tor Browser update will be available next week.

The full changelog since Desktop and Android Tor Browser 10.0.15:

  • Windows + OS X + Linux
    • Update Firefox to 78.10.0esr
    • Update NoScript to 11.2.4
    • Bug 40007: Update domain fronting config for Moat
    • Bug 40390: Add Burmese as a new locale
    • Bug 40408: Disallow SVG Context Paint in all web content
  • Android
    • Update Fenix to 88.1.3
    • Update HTTPS Everywhere to 2021.4.15
    • Update NoScript to 11.2.6
    • Translations update
    • Bug 40052: Rebase android-components patches for Fenix 88
    • Bug 40162: Disable Numbus experiments
    • Bug 40163: Rebase Fenix patches to Fenix 88.1.3
    • Bug 40423: Disable http/3
    • Bug 40425: Rebase 10.5 patches on 88.0.1
  • Build System
    • Android
      • Bug 40259: Update components for mozilla88-based Fenix
      • Bug 40293: Patch app-services' vendored uniffi_bindgen

    Changes:

    • Updated on 2021-04-23 to include Mozilla's Security Advisory
    • Updated on 2021-06-03 to include Android release information

Comments

Please note that the comment area below has been archived.

April 20, 2021

Permalink

> Tor Browser will stop supporting version 2 onion services later this year.

So what are the plans for content at:

onion.debian.org
onion.torproject.org

?

April 21, 2021

Permalink

V2 addresses are being deprecated too early.

The work that has been done to date to make v3s more accessible is inadequate. Please resume support for v2 (possibly with warnings) until an better solution is found, having to use old code bases is suboptimal.

Unfortunately that isn't realistic. Version 2 onion services have lived longer than they should. They will likely not be secure within the next five years, and we won't know when that happens until it's too late. Simply adding a warning will not force migration to version 3 addresses.

Accessibility of v3 addresses will improve as more people use them and the community adopts a solution.

April 23, 2021

In reply to sysrqb

Permalink

People in the community are saying there is a problem with the current tools and then Tor Project tells them, "Community you try to work out how to deal with problems we create." That's really not right. We do have time to work out a solution, so work it out first regardless of what we think about how long we've been using them. Also, I've seen suggestions provided, over the years and they seem to get ignored. It is overkill to have 50 chars. Expect hidden services to jump ship to I2P and renewed interest in other anonymous networks, because I'm going to be honest here, this is not good at all. I already see services breaking down and now I'm under the impression Tor devs don't want to use a solution.

1. This is a known issue. The Tor Project is part of the larger Tor community, and a solution will be found one way or another. However, the security, anonymity, and privacy properties of Tor must be maintained and moving to v3 addresses is necessary.

2. Version 2 onion services had similar usability and accessibility issues, those issues were simply less extreme. Some sites created vanity addresses, but that is not a solution for everyone and vanity addresses lead to other problems. In short, v3 onion addresses are not significantly worse than v2 addresses.

3. 50 characters is not overkill. This is the correct length for Tor's security parameters.

4. If you or anyone else has a viable solution, then please restart that conversation. We are already testing Namecoin and a centralized list.

May 10, 2021

In reply to sysrqb

Permalink

Why can you not make v2 and v1 length names with the v3 crypto? It's pretty rude to do this with the community.

> having to use old code bases is suboptimal.

There's the crux of it based on the comments I've read--libraries, modules, and userspace applications that aren't updated to version 3 onion services. Could you all MAKE A LIST of those and write them in a bug ticket, reddit thread, on a wiki, somewhere so at least they're together and everyone can find quickly which software projects are in need of repair?

April 21, 2021

Permalink

Add Burmese as a new locale

For Myanmar. Become a Tor translator. It's safer for people living outside of Myanmar to become translators of Burmese (language code: my). To sign up, you need an e-mail address. If you want more pseudonymity, you can create an e-mail inbox that is on a temporary service or an address that you intend to use only for Tor Project. Some e-mail services allow you to create and login to the e-mail address through Tor. If you do that, then also adjust your behavior (OpSec) based on your threat model.

April 22, 2021

Permalink

An old Tor bug biting me sometimes:

[warn] {DIR} Received http status code 404 ("Consensus is too old") from server x.x.x.x:443 while fetching consensus directory.

Whenever Tor has started with this error message, all my v3 onionsites are unreachable, and I have to restart Tor. V2 onions are not affected. Please fix ASAP.

Yes, tor needs a recent consensus so it can reach v3 onion services. This is a requirement.

Did you change any settings in Tor, or are you using the default configuration in Tor Browser? Did you enable bridges?

April 23, 2021

In reply to sysrqb

Permalink

Yes, tor needs a recent consensus so it can reach v3 onion services. This is a requirement.

Would it be possible to retry downloading the consensus from different entry nodes until it gets one that is recent enough?

Did you change any settings in Tor, or are you using the default configuration in Tor Browser? Did you enable bridges?

No Tor settings changed, no bridges enabled.

April 26, 2021

In reply to sysrqb

Permalink

Did you change any settings in Tor, or are you using the default configuration in Tor Browser? Did you enable bridges?

No Tor configuration changes besides setting up the onion services, and no bridges enabled. Apparently the client always tries to fetch the consensus from the same directory guard even if it failed, and the retry interval is 90 minutes, which is too long.

April 22, 2021

Permalink

When I opened Tor browser before the 10.0.16 update there was one tab open and on the right of the tab was a '+'. When I clicked this '+' a new tab opened, which was extremely handy. Since the 10.0.16 update this '+' has disappeared and now I can only open a new tab via File in the menu bar and then selecting 'new tab'. I find this very annoying so I uninstalled the update and reinstalled the previous version.

> this '+' has disappeared and now I can only open a new tab via File in the menu bar and then selecting 'new tab'.

Were you customizing the toolbars? It sounds like you accidentally dragged the New Tab button off of the toolbar. Open the main menu in the top right (also known as the hamburger menu because the button's icon is 3 horizontal lines). In the menu, click Customize... The window will change and have a grid of button icons. Find the icon named "New Tab," and drag it with the mouse into the toolbar near the spot you want the button to be. Finally, at the bottom right, click Done.

Since you're using the File menu, you can also find the Customize item in the View menu --> Toolbars --> Customize...

> which was extremely handy.

Tor Browser is based on Mozilla Firefox. Standard browser features such as tabs are adopted from them. They are free/libre open source software.

April 23, 2021

Permalink

I used tor browser on Windows 10 with safer setting, to download from rapidgator. Rapidgator don't allow me to download again in the next 2 hours. So I used the new identity feature in the browser and tried download another file from rapidgator but rapd gator said no download for next 2 hours for this ip address. I tried the safest setting and did the new identity 3 four times, yet rapidgator identified my ip address and said no downloads for next 2 hours. So rapidgator can easily identify a tor user, it's not anonymous at all

This is not an uncommon thing that happens when you use tor. All the millions of tor users are using the same ~1000 exit nodes. If RapidGator limits your usage, you're bound to have been affected by someone else's usage.

April 26, 2021

Permalink

Latest Windows has intermittent issues:
[04-26 06:56:00] TorLauncher NOTE: failed to open authenticated connection: [Exception... "Component returned failure code: 0x804b000d (NS_ERROR_CONNECTION_REFUSED) [nsIBinaryOutputStream.writeBytes]" nsresult: "0x804b000d (NS_ERROR_CONNECTION_REFUSED)" location: "JS frame :: jar:file:///C:/Tor%20Browser/Browser/browser/omni.ja!/chrome/torlauncher/components/tl-protocol.js :: _sendCommand :: line 890" data: no]

May 07, 2021

In reply to sysrqb

Permalink

indeed, that seems to be related to the timeouts being set to very small values in your app.

May 13, 2021

In reply to sysrqb

Permalink

Hello, would you add

  1. an update notice (e.g. Update: 7 May 2021: Android Tor Browser 10.0.16 is now available); and
  2. a link to the changelog of TB Android 10.0.16?

Thank you.

May 10, 2021

Permalink

When I download a new version of Tor Browser, I can't see the Top menu: File-Edit-View-History.

If I enable the Top Menu using View-ToolBars- Menu Bar
do I change the fingerprint of my browser and become more unique?

Thank you

May 18, 2021

Permalink

DuckDuckGo is not redirecting to its non-JavaScript page on Safest. It began sometime between 2021-05-14 and 2021-05-17.

June 05, 2021

In reply to sysrqb

Permalink

DDG is properly working again in safest. I don't know why. TBB 10.0.17, Linux-64, NoScript's Restricted CSS is disabled by TorButton in safest. Thanks.

May 27, 2021

Permalink

As of 10.0.16, duckduckgo (both .com and .onion) on Safest no longer automatically redirect to the non-JS site (https://html.duckduckgo.com/html/...). There is a "click here if you are not redirected" link, which works, but the redirect was automatic until recently. Not sure if it's TB or DDG's fault.

May 28, 2021

Permalink

Could you please provide information on what lead to decision that default window size should be 1000x1000?