New Release: Tor Browser 10.0.13 (Linux Only)

by sysrqb | March 4, 2021

Tor Browser 10.0.13 for Linux is now available from the Tor Browser download page and also from our distribution directory.

This version fixes instability on some Linux distributions.

The full changelog since Tor Browser 10.0.12 is:

  • Linux
    • Bug 40328: Fix instability after upgrading to glibc 2.33

Comments

Please note that the comment area below has been archived.

March 03, 2021

Permalink

I can't tell if my browser updated. [Help] -> [About Tor Browser] has a [restart to update] button. Clicking it does restart the browser, but the browser returns with the 10.0.12 version and the button remains.

Did someone forget to bump the version number?

March 04, 2021

Permalink

hi
please change the homepage, it's not nice
and "resource://torbutton-assets/tor-survey-icon.svg" doesn't get open when javascript is disabled!
maybe for its format
and something else,when i change security level to safest yet in about:config javascript.enabled is True by default!
and even duckduckgo doesn't work ok, and i had to disable it every time with myself,
and, when js is disabled and i open a mp4 file directly ( i mean player doesn't work that is normal and i search in source code and find the file to open) it's doesn't work with noscript, noscript warning doesn't work anymore when a file opened directly, if it work i can download the file just with its address but it has some problems and doesn't work
i hope you get what i mean, just read it again and i'm sorry for (bad EN writing), thanks

> "resource://torbutton-assets/tor-survey-icon.svg" doesn't get open when javascript is disabled

Yes, that was reported on the blog in 10.0.12 but not on Gitlab yet.
https://blog.torproject.org/comment/291208#comment-291208
If I understand correctly, the problem is that the safest security level sets the preference svg.disabled to true, and the icon image is an SVG file. One possible solution is for the developers to save the image as a PNG or JPG. They were able to make the image of the green computer on the black background for their donation campaign work without Javascript.

> when i change security level to safest yet in about:config javascript.enabled is True by default

Yes, under the button to select safest mode, it tells you, "JavaScript is disabled by default on all sites." Read the notes under each level's button.

> duckduckgo doesn't work ok

Yes, the solution is to open NoScript's options and enable the "noscript" permission for duckduckgo.com. That is a new permission in NoScript. It has been fixed in Tor Browser and will be released in one of the next versions. In the meantime, either change to "safer" security level, or open https://html.duckduckgo.com/html/ , or temporarily enable NoScript's "noscript" permission for duckduckgo.com or its onion service.

> when js is disabled and i open a mp4 file directly ( i mean player doesn't work that is normal and i search in source code and find the file to open) it's doesn't work with noscript, noscript warning doesn't work anymore when a file opened directly

MP4 files are often not stored on the same host as the player's webpage. If you try to open https://.../video.mp4 , you have to allow media in NoScript for the mp4's hostname. On the player's webpage, you may need to allow media for the player's hostname and the mp4's hostname.

NoScript's icon is hidden because it can affect your anonymity if you reconfigure it. Experienced users can find its icon in the main menu --> Customize, and drag its icon to the toolbar. NoScript's options can be reset if you change your security level. Be careful if you configure NoScript.

> Yes, the solution is to open NoScript's options and enable the "noscript" permission for duckduckgo.com. That is a new permission in NoScript. It has been fixed in Tor Browser and will be released in one of the next versions. In the meantime, either change to "safer" security level, or open https://html.duckduckgo.com/html/ , or temporarily enable NoScript's "noscript" permission for duckduckgo.com or its onion service.

When I try to use duckduckgo.com onion via the menu bar in Tor Browser included with Tails 4.16 (current), as of today the server does not respond but in Onion Circuits I see a connection to r3.o.lencr.org which allegedly is the EFF cert site letsencrypt.org but which has been reported as hosting malware.

Any comment?

r3.o.lencr.org is used for verifying a certificate was note revoked. It is run by Let's Encrypt. Malware use certificates from Let's Encrypt, so that may be why you are seeing the malware references.

> r3.o.lencr.org which allegedly is the EFF cert site letsencrypt.org

It isn't the site, but staff of Let's Encrypt stated that it is managed by them. It's their server for certificate revocation lists (CRL) and Online Certificate Status Protocol (OCSP).
https://community.letsencrypt.org/t/ocsp-uri-r3-o-lencr-org/145920
https://ssl-tools.net/webservers/r3.i.lencr.org

However, the certificates for DuckDuckGo.com and .onion are not issued by Let's Encrypt but by DigiCert. Running a DNS query on r3.o.lencr.org leads to random IPs allegedly owned by Akamai. Running a DNS query on crl3.digicert.com, seen in DuckDuckGo's certificate, leads to random IPs allegedly owned by Verizon, not Akamai. Therefore, I doubt r3.o.lencr.org was from DuckDuckGo.

You said you were using Tails, so it could have come from any application running in that OS because Tails redirects all external traffic through the Tor network. If it was from something in Tor Browser, it could have come from a host that DuckDuckGo's page accessed in the background (right-click --> Inspect Element --> Network tab --> refresh the page and watch) or from update checks by HTTPS-Everywhere or NoScript or Tor Browser itself.

Duckduckgo, redirected in the past to an noscript, no .js page, if there was no java scripting possible . I am not sure but I believe they changed their search engine.

March 05, 2021

Permalink

Please could every one check if you have "https Everywhere" extension, mine is gone with the new version 10.0.13.
I only have "NoScript" extension now :(

March 06, 2021

In reply to sysrqb

Permalink

Hi, I do not see visible differences, I just cannot find "https Everywhere" anywhere in the (Add-ons Manager),
do you still have it with the Tor Browser ?, or do I need to re-install my own version?

March 06, 2021

In reply to sysrqb

Permalink

That is a good thing--- unless the hard-coded version has been messed with by some hostile actor. I am alarmed that r3.o.lencr.org seems to be a cross-site-scripting site, not the actual site operated by eff.org which is letsencrypt.org.

Thank you, it is in "Customize" indeed so i can make it visible in the Menu Bar, but i cannot find it in Add-ons.
Perhaps something went wrong while I was updating the browser, I will try to re-install it and see if it appears again.

March 07, 2021

Permalink

Because this 10.0.13 version is only for Linux, automatic updating is completely broken on Mac currently. I have a Mac stuck on 10.0.5 and another stuck on 10.0.10. In Browser Console it is apparent that update-check gets 404 error trying to fetch non-existent 10.0.13-osx64-en-US.xml from Tor update server, but Firefox stupidly tells user browser is up to date. Anyway it seems Tor Project messed up in how to do a Linux-only release.

March 10, 2021

Permalink

First of all, hi, and thanks a lot for everything, really
some questions:
1. could bookmarked pages get used as a cookie-like thing for tracking?
2. in library menu, there is a option to restore past bookmarked pages, its wondering me 'cause tor browser should not store any information about past uses, but it does! why? this could be a problem in a public computer, when many persons want to use same account
thanks again.

Hello. Yes, bookmarks could be used as a tracker if the page you bookmark is somehow unique/special to you. As for restoring previously bookmarked pages, are you sure that's an option? You can restore previously closed tabs, but I don't see an option for restoring past bookmarks.