New Release: Tor Browser 10.0.12

by sysrqb | February 23, 2021

Tor Browser 10.0.12 is now available from the Tor Browser download page and also from our distribution directory.

This version updates Desktop Firefox to 78.8.0esr and Android Firefox to 86.1.0. In addition, Tor Browser 10.0.12 updates NoScript to 11.2.2, Openssl to 1.1.1j, and Tor to 0.4.5.6. This version includes important security updates to Firefox for Desktop, and similar important security updates to Firefox for Android.

The full changelog since Desktop and Android Tor Browser 10.0.11 is:

  • All Platforms
    • Update NoScript to 11.2.2
    • Update Openssl to 1.1.1j
    • Update Tor to 0.4.5.6
  • Windows + OS X + Linux
    • Update Firefox to 78.8.0esr
    • Bug 40026: Create survey banner on about:tor for desktop
    • Bug 40287: Switch DDG search from POST to GET
  • Android
    • Update Firefox to 86.1.0
    • Bug 40138: Create survey banner on about:tor for Android
    • Bug 40144: Hide Download Manager
    • Bug 40171: Make WebRequest and GeckoWebExecutor First-Party aware
    • Bug 40188: Build and ship snowflake only if it is enabled
    • Bug 40309: Avoid using regional OS locales
    • Bug 40344: Set privacy.window.name.update.enabled=false
  • Build System
    • Android
      • Bug 40214: Update AMO Collection URL
      • Bug 40217: Update components for switch to mozilla86-based Fenix

Comments

Please note that the comment area below has been archived.

February 23, 2021

Permalink

> Update Openssl to 1.1.1j

If a Linux distro's repository packages an older version, which one will Tor Browser use?

February 23, 2021

Permalink

Switching DuckDuckGo from POST to GET unfortunately doesn't solve DDG recently not rendering on safest security level.

Caution: Customizing your search engines makes your activity stand out and more trackable. Alternatives to customizing are to type in https://html.duckduckgo.com/html/ or to lower your security level to Safer or Standard. If you add a search engine or customize NoScript or save bookmarks, it's recommended to revert or delete your changes after the problem is repaired in a later version of Tor Browser.

As temporary workaround, when using DDG .onion or normal, insert "html" without quotation marks between / and ? into the URL string in the address bar, or set DDG HTML as standard SE in Options.

In Safest, DuckDuckGo works for me if I temporarily allow "script" for duckduckgo.com in NoScript. We should be asking DuckDuckGo to fix what it changed.

But if newbies read this, they should set Safer instead because customizing NoScript makes your browser fingerprint more identifiable. Do it only if you understand the implications and risks. NoScript's icon is hidden by default anyway. If you changed NoScript per-site permissions and no other options in NoScript, you can reset NoScript by changing Tor Browser's security level or by clicking the right-most big clock button in the top of NoScript's menu whose tooltip (hover pop-up text) says, "Revoke Temporary Permissions".

Wait for a moment. It will redirect to non-javascript site of DDG. If it don't do that it will say to click "here".
Or, you can just go to https://html.duckduckgo.com/html then search
Because in safest security settings Tor browser disable javascript.
If you want to use javascript version of any sites you should go with safer settings.

February 23, 2021

Permalink

DuckDuckGo, DuckDuckGo onion and Startpage searches no longer load when the safety slider is set on Safest. It loads when set on Safer.

This issue was intermittent with the previous version (10.0.10) but it appears not loading at all now.

February 23, 2021

Permalink

Survey page has expired. I took too long writing everything, and the website lost all of it. I hope my many paragraphs you weren't able to receive helped you a ton!! I won't be writing it again.

Same experience, survey page expired.

1. Survey blog post is locked for comments. Clearly this blog admin doesn't want user feedback on a user survey (this is actually kinda newb)

2. Multiple open text fields and explicit instructions to write out sentences and paragraphs, but session timeout is a mere few minutes. One could probably squeeze it in typing 1,000 wpm or more.

3. Probably shouldn't make an anonymous survey in wix. Lol.

February 23, 2021

Permalink

Thanks for your great work!

"Bug 40287: Switch DDG search from POST to GET": since this is not really a bug, but a change in a user preference setting, I personally do prefer POST much more. Perhaps this setting can be offered on the "Preferences/Search" tab...

Until then, what TorBrowser search file(s) can I tweak to revert my DDG searches back to the POST method? At least for the search bar.

Appreciate any info or link.
Thanks.

> what TorBrowser search file(s) can I tweak to revert my DDG searches back to the POST method?

It's complicated. First of all, you shouldn't. It is not recommended because the POST method will structure your packets differently from other Tor Browser users (who now do GET) and make your activity more trackable. Second, read this thread from the blog post announcing the release of the alpha version that contained the change.

Third, the files in the source code that were changed are listed in issue 40287 that you pasted. Issues in GitLab are called "Bug" in the blog post and changelog. A reply before mine noted the default file .../ddg/manifest.json inside an omni.ja archive. Json files can be opened in a text editor, never in a word processor. Don't edit files in the browser's folder while the browser is open. Close the browser, make a backup copy of the json file in case you break it, and make another copy you will edit and paste into the omni.ja file, overwriting the original manifest.json.

Examples of what to write in your edit are in the other reply and in files on Mycroft Project. Those custom search engines would be installed to the file ./tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/search.json.mozlz4 Mozlz4 files can be edited in the Firefox add-on mozlz4-edit. It's not recommended to install add-ons in Tor Browser.

February 24, 2021

Permalink

Now when activating plugin NoScript 11.2.2 and 11.2.3 the duckduckgo.com search engine does not work.

February 24, 2021

Permalink

This update: 10.0.12 is causing very high CPU usage on the Mac, compared to the previous version. Please fix this.

February 24, 2021

Permalink

DDG search becomes problematic for me . Someone asked for this change, to be able to return to the page that contains search results. By pressing [back] button. It's fine. But I don't want my search keywords to be visible in url . Isn't post always safer when it comes to handling form data ? Am I missing anything ?

> Isn't post always safer when it comes to handling form data?

No. The GET method does not significantly increase privacy. Read here:
https://blog.torproject.org/comment/290937#comment-290937

The significance of visibility of keywords in URLs is higher in your web browser than when the message data is in transit or on the server. Furthermore, most people don't save bookmarks, so the URLs in their browser session would be displayed on screen at the same time as the page contents would be. In that case, the page contents and the hostname are significantly more sensitive than keywords appended at the end of the URL, but neither the page contents nor the hostname are hidden by the POST or GET methods. People who do save bookmarks are assumed to understand the risks of saving their browsing history to disk and how to edit the bookmarks to remove keywords.

February 24, 2021

Permalink

Tor Project, ask your outreach team to consider putting out a call on social media for translators for Myanmar (Burmese language). They are protesting a military coup and could use Tor. In the message, translate the keywords into Burmese that Burmese speakers are most likely to stumble upon. Link to here: https://community.torproject.org/localization/ Include the most common hashtag, #WhatsHappeningInMyanmar

February 26, 2021

Permalink

Tor Browser does not work on OpenBSD.

However OpenBSD's official ports have tor and torsocks. If I install them, I will be able to tunnel internet traffic through Tor, is that right?

OpenBSD's port has Firefox. But I need to export Tor Browser's tweaks to Firefox before I can use the latter. How do I extract Tor Browser's multiple privacy settings?

Neither Tor Project nor Mozilla builds for *BSD. The versions of tor and tor-browser in OpenBSD's official repositories are old, insecure and not recommended. For example, in OpenBSD 6.8 the version of tor is 0.4.3.6, but the most recent as of the date of your comment were 0.4.5.6 or 0.4.4.7. Tor Browser's preferences are not the only changes from Firefox. There are changes to the source code as well. You would be better off trying to use the versions in FreeBSD's repositories, or installing a virtual machine to run Linux, or trying to compile the source code of Tor Browser for OpenBSD.

March 02, 2021

Permalink

It's now finally possible to get DV certs for your v3 onion site using the HARICA CA! Get your own here: https://www.harica.gr/Contact/GetHarica FAQ: "Do I need an HTTPS certificate for my onion?"

https://mastodon.social/@torproject/105821525048636734
https://twitter.com/torproject/status/1366811402552438786

Write information about DV certs for v3 onion services in the Community pages or in Tor Project's valuable but now non-editable wiki or before writing it on social media. You're setting it up to be forgotten.