New Release: Tor Browser 11.0a1 (Android Only)

by sysrqb | July 12, 2021

Tor Browser 11.0a1 is now available from the Tor Browser download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This version updates Fenix to 90.0.0-beta.6.

Warning:
Tor Browser Alpha does not support version 2 onion services. Tor Browser (Stable) will stop supporting version 2 onion services later this year. Please see the deprecation F.A.Q. entry regarding Tor version 0.4.6. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.

The full changelog since Tor Browser 10.5a17:

  • Android
    • Bug 40172: Find the Quit button
    • Bug 40173: Rebase fenix patches to fenix v90.0.0-beta.6
    • Bug 40179: Show Snowflake bridge option on Release
  • Build System
    • Android

Comments

Please note that the comment area below has been archived.

July 16, 2021

Permalink

Current stable version is leaking Accept-Language according to browserleaks.com/IP
System language is EN-US, shows as EN-US and if I change language in Tor it still says EN-US along with whatever language I've selected. Isn't this a fingerprint and identity risk?

July 16, 2021

Permalink

Why do I keep getting unresponsive script warnings? The app only works properly on its first use, after that its always warnings about httpseverywhere. I have to erase all data and start over every time I want to browse without being spied on. Could anyone give advice what to do?

July 20, 2021

In reply to sysrqb

Permalink

Yes it is the same as what user "LokiAstaroth" shows a photo of except it's for the HTTPS Everywhere add-on instead of whatever Pako is. It's been a known issue for over a year? I expected I was the odd one out likely due to idiocy but clearly not. Please get around to fixing it. It doesn't render the app unusable but it is a needless extra step and I worry many will click OK and continue browsing perhaps with insufficient protection due to broken scripts.

July 20, 2021

In reply to sysrqb

Permalink

Just managed to trigger it. I can't copy/paste what it says as the app won't let me. This is what it says.

Warning: Unresponsive script
A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: moz-extention://87ab41ed-6d15-...m/https_everywhere_lib_wasm.js317

July 20, 2021

In reply to sysrqb

Permalink

Very welcome. If possible please try to work a fix or the next release, it must be affecting plenty of people, I know it's open and it can all be done at home but I'm clueless. Another minor point you might want whilst here is that changing theme doesn't work, if you click the option for dark design the app flashes for a second and remains purple. It's nothing anyone would care about but might be worth mentioning Incase it links up with other codes/scripts

July 16, 2021

Permalink

Why can't we fully disable cookies? Tor is set to only block third parties by default and you can't change it? Host cookies can be used to identify you and we should have cookies fully disabled at default

The site can only identify you when you re-visit the same domain (as the first-party) who originally set the cookie, however when Javascript is not disabled then blocking first-party cookies would not prevent re-identification in this way because a web site can use local storage for a similar purpose. If you are concerned about a web site re-identifying you, then you should use the New Identity button or restart the browser before revisiting the site.

July 20, 2021

In reply to sysrqb

Permalink

So so long as JavaScript it fully disabled as it should be in "safest" mode then cookies pose zero threat? I'd appreciate confirmation as I've had cookies breach VPN previously.
Thanks.

No, when using Safest mode a cookie may be stored and a web site can potentially re-identify "you" if you reload the web page, or if you navigate away from that site and then return at a later time. A web site can not re-identify you using cookies after you restart the browser or use New Identity. Hopefully this is clearer.

July 20, 2021

In reply to sysrqb

Permalink

Yes that is clearer. Provided that "You" contains no real information about the end user then it's fine. I do still believe we should be given the option of fully blocking if we want to. Does the desktop version also have this restriction? If not then behind Tor + 3rd party enabled = Tor on Android. Site and service hosts will be able to tell who is on mobile and who is on desktop. I also appreciate the speed of your responses, I must have caught you with no Cheeto dust on them fangers

July 20, 2021

In reply to sysrqb

Permalink

It's about avoiding being identified to begin with, if you've been identified once then it's game over so re-identification just gives them what they already have. You need to explain in idiot friendly terms how to avoid identification from cookies. I can't tell if you mean we get identified straight away or we get identified by visiting a site that another previously visited site used to embed cookies, despite us not knowing when the third party cookie was attempted to be placed or which website it belongs to.

Yes, let me rephrase that answer. Cookies (from a first-party) are used for recognizing returning visitors, not identifying/tracking individual users. There is a fine line between these two actions, but cookies only providing a mechanism linking together requests from the same user/browser.

July 22, 2021

In reply to sysrqb

Permalink

the "cookie" setting actually controls "Site Data" and includes the ability for a site to use localStorage, sessionStorage, cookies, indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications). Note some of these do not apply to Tor Browser or PB mode

So in reality, the cookie setting can be abused by websites in many ways to facilitate tracking. But FPI isolates all those (maybe not service workers = not used in PB mode - I think there's a ticket for that) to first party. In fact, I don't even see the issue with 3rd party cookies here TBH

As sysrqb says, you need to use New Identity if you want to properly sanitize all methods that can be used to linkify. That is by design - but could do with some work to educate people (like myself, even I was confused)

https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/402… is currently confidential, sysrqb feel free to unhide it

July 18, 2021

Permalink

Just would like to inform the team that bug 40110 has yet to be fixed and wondering if this more of a persistant feature than a temporary bug. Also would like to know if there's a workaround for it. Tq.

July 20, 2021

Permalink

When is new release? It's been month from last stable built. Lots of people still worried from tracking telemetry and unfixed bugs. Please do not see Android as a lesser priority