New Release: Tor Browser 10.0.15

by sysrqb | March 28, 2021

Update: 9 April 2021: Android Tor Browser 10.0.15 is now available.

Tor Browser 10.0.15 is now available from the Tor Browser download page and also from our distribution directory.

This version updates Openssl to 1.1.1k. In addition, Tor Browser 10.0.15 includes a bugfix for when Javascript is disabled on websites.

Relay operators who use the Windows Expert Bundle are strongly encouraged to upgrade their relay.

Note: Tor Browser will stop supporting version 2 onion services in June (two months from now). Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.

The full changelog since Desktop Tor Browser 10.0.14 and Android Tor Browser 10.0.12 is:

  • Windows + OS X + Linux + Android
    • Update Openssl to 1.1.1k
    • Bug 40030: Add 'noscript' capability to NoScript
  • Android
    • Update Fenix to 87.0.0
    • Update NoScript to 11.2.4
    • Update Tor to 0.4.5.7
    • Translations update
    • Bug 40045: Add External App Prompt for Sharing Images
    • Bug 40047: Rebase android-components patches for Fenix 87.0.0
    • Bug 40151: Remove survey banner on TBA-stable
    • Bug 40153: Rebase Fenix patches to Fenix 87.0.0
    • Bug 40365: Rebase 10.5 patches on 87.0
    • Bug 40383: Disable dom.enable_event_timing
  • Build System
    • Android
      • Bug 40162: Build Fenix instrumented tests apk
      • Bug 40172: Move Gradle compilers out of android-toolchain to own gradle project
      • Bug 40241: Update components for mozilla87-based Fenix

Comments

Please note that the comment area below has been archived.

Working again for me too! Thank you thank you Tor people!

I do not really search much but when I do I am doing research and it is important to be able to click on search page links with the highest security level, because when researching obscure topics you are often directed to other than well-known sites. For that matter, even major media sites have been found at times to be unwittingly serving malware.

Request: when Tor Project gets the "anonymously report an issue" tool ready, PLEASE explain how to use it in a post in this blog. Please note that requiring users to have an email account, chat account, etc. will exclude some users. OTH, Tails Project uses whisperback which is not perfect but does not require anything not already provided in a standard Tails. In the same way, any "secret" tokens or whatever should be provided with the latest TBB tar ball. It would be useful to be able to report both observations about strange behavior of the Tor network as well as documenting bugs. Alternatively, it would be fabulous if TP followed the Riseup example and had a Tor network health barometer on the home page, so that users can be alerted (and know they should be patient) if TP thinks the network is currently under attack.

> major media sites have been found at times to be unwittingly serving malware.

My virus scanner once encountered state-sponsored malware on the website of a major media corporation based in that same nation-state. Makes you wonder about the ties between money, politics, law, rights, and class.

> when Tor Project gets the "anonymously report an issue" tool ready, PLEASE explain how to use it in a post in this blog.

They did on February 09, 2021: https://blog.torproject.org/anonymous-gitlab

> Tails Project uses whisperback
> any "secret" tokens or whatever should be provided with the latest TBB tar ball.
> if TP followed the Riseup example and had a Tor network health barometer on the home page, so that users can be alerted (and know they should be patient) if TP thinks the network is currently under attack.

Good ideas. I hope Tor Project looks into them. You can get their attention anonymously by reporting an issue. I don't see a barometer on RiseUp's home page, but here is Tor Project's Status portal: https://status.torproject.org/
And here is the Metrics portal: https://metrics.torproject.org/
Also recently relevant: https://blog.torproject.org/contribute-to-tor-metrics-timeline

March 29, 2021

Permalink

Is there any chance it would be possible to ask you to keep a live link to previous versions at least for a few days after a new release, in order to allow package management solutions (e.g. chocolatey) some time to update the tor package? currently every time you release a new version, it breaks the package which still points to the older version download link (right now it's 10.0.12 for example).
No need to reply, just food for thought.
Thanks in advance.

> keep a live link to previous versions at least for a few days after a new release, in order to allow package management solutions (e.g. chocolatey) some time to update the tor package?

The previous versions are on live links. Copy the URL from the download page, and go up a few directories:
https://www.torproject.org/dist/torbrowser/

Or, better than that, this file -- whose name never changes -- can be parsed:
https://www.torproject.org/dist/torbrowser/update_2/release/downloads.j…
It redirects to aus1.*

Tell chocolatey's maintainers.

March 30, 2021

Permalink

Was there yet another java "leak"? I read about it on the Google Play feedback section for the Android app but assumed it only affected the Android version due to how crap it is and how little care Tor Devs have for it. I'm sure plenty of hidden services exploited their lack of user protection.

April 16, 2021

In reply to sysrqb

Permalink

Just open Tor Browser's page in Google Play, click on "Read All Reviews," and do Ctrl+F for "java".

Why does Tor Project neglect looking there for bug reports? You need to go and write in your app's description on its page (Play, GuardianProject) to tell people to bring their bug reports to reporting channels that are monitored!

  • 2021-02-21: can't open "about:config" in the address bar to turn off Javascript
  • 2021-02-22: unable to deactivate java script
  • 2021-03-02: WHY IS [NoScript] the only addon that needs to be reset to default to block java??
  • 2021-03-02: I'm told that Javascript is running and I need to disable it before I can proceed.
  • 2021-03-06: on safest and it still talks of JavaScript
  • 2021-03-12: One day it works on sights where java script needs disabling the next day it doesn't , I wrote "about:config" in the address bar and once it took me to some settings where I could toggle jscript from true to false and then it worked ,but again it doesn't with no way of accessing the settings
  • 2021-03-14: Current build of the official TOR browser gives Javascript errors, states Java is running even in high security mode and "about config" is totally unresponsive. Many sites left inaccessible by this error.
  • 2021-03-30: it says javascript needs to be disabled but the about:config method I originally used to disable javascript no longer works
  • 2021-03-31: .onion page and they tell you to turn off Java

They could be because of Bug 40030: Add 'noscript' capability to NoScript. But many of them are dangerously customizing about:config. A proper notice from developers could have mitigated their action.

No, all of those comments are due to misunderstanding how the Safest security level works. This has no relationship to Java. Tor Browser does not disable Javascript via the internal Firefox preference. It uses NoScript to disable javascript for each page.

April 17, 2021

In reply to sysrqb

Permalink

Are you sure they're due to a misunderstanding? It's plausible that a website might reach an unanticipated condition if NoScript is blocking JavaScript and, as was true at the time, NoScript is blocking the "noscript" tag.

April 22, 2021

In reply to sysrqb

Permalink

You don't seem to understand, re-read the whole thing and focus on 2021-03-31: .onion page and they tell you to turn off Java Someone went onto a Tor .onion site using your official Android app and the service detected that it could run java, what more proof do you need? Let me guess: Uhhh... its the fault of NoScript and we aren't them! - Uhhh... its the fault of Mozilla and we aren't them! - Uhhh... the hidden service got it wrong, siwwy survus!

Tor = uncaring money sponge death cult

First, please be specific about *javascript*, not *java*. They are completely different languages and their exploitation are completely different.

The comment from 2021-03-31 says: "Lol try to look up a .onion page and they tell you to turn off Java when the search doesn't work and they're not competent enough to add a setting built into THEIR browser. Orfox is gone yet still better than this".

They should disable Javascript by using the Safest security level.

> You don't seem to understand
I disagree. sysrqb's reply on April 20 explained it sufficiently.

OP asked if there was a Java "leak". There wasn't and isn't, neither for Java nor JavaScript. (Browsers run JavaScript. Java (not script) would require a plug-in that users would have to install themselves. It would activate if a website embeds Java applets which are basically never used in web design anymore.) Real leaks by JavaScript in Tor Browser happened over the years, but this isn't one of them. The messages from websites are most likely because of users being on a certain security level, or because of the recent blocking of the "noscript" HTML tag by NoScript, or because of other misconfigurations done by the users such as in about:config.

> the service detected that it could run java
Not necessarily detected correctly.

If a message was due to the "noscript" tag being blocked, then the message was probably false because that was a new feature in NoScript that websites most likely were not prepared to respond to and summarily stumbled and vomited up a result. Tor Browser in the meantime was blocking or allowing JavaScript ("script" in NoScript) according to the security level correctly as normal.

Mozilla was not involved. NoScript rolled it out suddenly, possibly as an automatic update. Tor Project didn't test it. Websites were handling the tags in the manner they had always expected them to be. Tor Browser kept on treating JavaScript the way users expected it would.

March 30, 2021

Permalink

When i enter about:networking#networkid in the url there is a value called network id. what is this value and how is it used?

April 20, 2021

In reply to sysrqb

Permalink

we don't have to spoof it right now. This might change in the future [...] but I hope we'll be able to catch that if it happens.

What's the harm in spoofing it right now? Make it identical for every Tor Browser. Is the network ID used for anything more than Firefox Private Network (VPN)? Will Tor Browser ever use Firefox Private Network? If the answers are "no", then what's the harm in spoofing it now to mitigate future changes by Mozilla?

April 11, 2021

Permalink

I's no longer possible to connect to version 2 onion services with Tor Browser 10.5a13. Wasn't the deadline supposed to be June 2021?

Correct, as noted above:

Note: Tor Browser will stop supporting version 2 onion services in June (two months from now). Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.

https://blog.torproject.org/v2-deprecation-timeline

Tor Browser Alpha contains an alpha version of tor version 0.4.6 where v2 onion support is already removed.

April 17, 2021

Permalink

The Tor Browser is a very useful amd effective tool in assisting in finding necessary information