New Release: Tor Browser 10.0.17

by sysrqb | June 2, 2021

Tor Browser 10.0.17 is now available from the Tor Browser download page and also from our distribution directory.

This version updates Firefox to 78.11esr. In addition, Tor Browser 10.0.17 updates NoScript to 11.2.8, HTTPS Everywhere to 2021.4.15, and Tor to 0.4.5.8. This version includes important security updates to Firefox for Desktop.

Warning:
Tor Browser will stop supporting version 2 onion services later this year. Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.

Note: The Android Tor Browser update will be available next week.

The full changelog since Desktop Tor Browser 10.0.16:

  • Windows + OS X + Linux
    • Update Firefox to 78.11.0esr
    • Update HTTPS Everywhere to 2021.4.15
    • Update NoScript to 11.2.8
    • Update Tor to 0.4.5.8
    • Bug 27002: (Mozilla 1673237) Always allow SVGs on about: pages
    • Bug 40432: Prevent probing installed applications
    • Bug 40037: Announce v2 onion service deprecation on about:tor

Comments

Please note that the comment area below has been archived.

June 02, 2021

Permalink

Do I change the fingerprint if I display the Menu Bar on top?

I go to View-Toolbars-Menu Bar ( checked)

Or if I remove the Bookmark Toolbar:
View-Toolbars-Bookmarks Toolbar

Thanks

June 02, 2021

Permalink

The new banner on about:tor, "Tor is ending support...," links to Learn More, but that page doesn't say anything about v2 or v3. The page does however give a v2 address, and only a v2 address, as a proper example of an onion service under the question, " I've heard about websites that are only accessible over Tor."

June 05, 2021

In reply to sysrqb

Permalink

Please note the second part of that comment concerned that Support lists "only a v2 address". The GitLab issue in your reply does not mention it. Here are some support pages that mention "only a v2 address":

https://support.torproject.org/onionservices/onionservices-1/
https://tb-manual.torproject.org/onion-services/#troubleshooting
https://support.torproject.org/onionservices/onionservices-3/

June 02, 2021

Permalink

Regarding the deprecation of v2 onions, has there been any news from DuckDuckGo about upgrading their service to v3?

I have not sighted any news about this.

P.S. Why is the DuckDuckGo search not set to Onion by default? Is it due to their use of v2?

June 05, 2021

In reply to sysrqb

Permalink

> they have concerns about supporting the resulting load.

So tell onion service admins to integrate OnionBalance for .onion with their load balancers for .com, .org, etc.

June 02, 2021

Permalink

Tor WARN: Received http status code 404 ("Consensus is too old") from server 78.47.103.109:443 while fetching consensus directory.

June 03, 2021

Permalink

Tor WARN: Received http status code 404 ("Consensus is too old") from server 78.47.103.109:443 while fetching consensus directory.
On every startup?

June 03, 2021

In reply to sysrqb

Permalink

Does this mean hidden services can see what apps and software we have installed? Cheers for the merge request as well, basically an instant fix to all users. Carefully, he's a hero!

June 03, 2021

Permalink

EFF (Full): A new ruleset bundle has been released, but it is older than the extension-bundled rulesets it replaces.  Skipping.

Yes, that's because they don't update rulesets on their update channel. They stopped to accept new rulesets, but that doesn't mean the end of maintaining the existing ones. So, at least, a June update should exist.

June 03, 2021

Permalink

Hi, I'm from Iran, I cannot connect to Tor (with or without bridge) since yesterday even if I am using a proxy that changes my IP

There is a sharp increase in bridge users from Iran using obfs4 that started at the end of the month 2021-05 (May). The increase is nominal when compared to bridge users from all countries in the same time period.

Try changing your bridge. Try a different obfs4 bridge, or try a meek bridge. If you use a proxy or VPN in the chain before Tor, there could be an issue in that proxy. You could also try a bridge that uses a port that is usually open such as 443. If none of those help you, I guess it could be an issue in your ISP or country. Here's some more information about connecting from Iran.

Please supply more information if you find any. Read how to contribute to the Tor metrics timeline.

June 03, 2021

Permalink

DuckDuckGo founder and CEO: “We're delighted that EFF has now entrusted DuckDuckGo to power HTTPS Everywhere going forward, using our next generation Smarter Encryption dataset."
Where are the statements from the Tor Project? Have you silently entrusted DuckDuckGo too?

June 03, 2021

Permalink

Hi again, I posted a comment about 30 miniutes ago and said I cannot connect to Tor in Iran since yesterday, I downloaded the last Tor version and now I am able to connect to Tor network, Thank you guys!

June 03, 2021

Permalink

FYI:
* Last time - (16.05.2021 & TBB10.0.16) https://blog.torproject.org/comment/291807#comment-291807 - I had "10FVVUV & 99.01% unique".
* For now (04.06.2021 & TBB10.0.17) I got -
"0FVVVV - This is your identifier. It was seen 5002 times among 54006 tests so far.
That means it is 90.74% unique. Want to try again? We have generated your identifier based on 0 applications you have installed. Out of 24 applications in our database."

Is it a final solution?

> That means it is 90.74% unique.

I get 0FVVVV too on Tor Browser 10.0.17. The identifier has now been seen 6657 times among 64255 tests so far. That means it is 89.64% unique... based on 0 applications you have installed out of 24 applications in our database. It's looking better.

As long as that identifier is based only on detecting whether applications are installed, comparing it to identifiers retrieved from other browsers makes some sense but could be improved. It wouldn't make sense to compare browser fingerprints of regular browsers like Chrome and Safari with the fingerprints of Tor Browser because Tor Browser is made to stay as identical as possible in every installation, but regular browsers are not. Sites like EFF's panopticlick give comparisons that would be more meaningful if they compared Tor Browser with only other Tor Browsers to find anomalies in its intended uniformity. That is the goal of projects like TorZillaPrint.

Unfortunately the app does not have any control over CAPTCHAs, that is presented by the web site. Many Tor exit nodes have a bad reputation due to people abusing the Tor network, and that results in real people seeing CAPTCHAs.

June 14, 2021

In reply to sysrqb

Permalink

"[...] never explicitly blocked"

Wrong. Till "Wed, 22 Jan 2020" it WAS working.
Read mozillas docs and you know why this is not working as it should be: "-pref("permissions.default.image", 1);[...], 3-dontAcceptForeign"
https://hg.mozilla.org/mozilla-central/rev/dea8bc3b320a
author pbz
Wed, 22 Jan 2020 10:45:15 +0000
changeset 511088 dea8bc3b320acdd689a27596a0a54eb794941333
parent 511087 74493854a1b6478d5a9c3674df1369788783eeee
child 511089 798234088fd904c05e9312a0f703980e284d3bf7
push id 37045
push user csabou@mozilla.com
push date Wed, 22 Jan 2020 21:48:55 +0000
#---------------------------------------------------------------------------
# Prefs starting with "permissions."
#---------------------------------------------------------------------------
+# 1-Accept, 2-Deny, Any other value: Accept
+- name: permissions.default.image
+ type: RelaxedAtomicUint32
+ value: 1
+ mirror: always
[...]
-pref("permissions.default.image", 1); // 1-Accept, 2-Deny, 3-dontAcceptForeign

"that will affect your browser fingerprint"

Sure, if you define that as normal that .onion sites load tracker, clearnet-cdns like akamai, amazon, microsoft and the user is strangle enough prohibited to stop this.
When the TBB normally loading Flash and Java, to stop this "will affect your browser fingerprint", too.

June 07, 2021

Permalink

I updated my tor only to find my virus checker sees it as malware now ???
and puts it in quarantine

June 15, 2021

In reply to sysrqb

Permalink

That support FAQ answer does not state that the error is usually because the virus scanner's maintainers have not updated its virus definition files to include the very new version of Tor Browser that's usually less than 3 days old when most complaints appear. Often, the user simply has to give them some time after Tor is released and then update their virus scanner. If the user doesn't want to wait, then yes, they can follow the linked answer as it's currently written to configure their scanner to ignore and never scan Tor Browser's EXE files. I personally don't like that answer.

June 08, 2021

Permalink

Shortly after launch it tries to connect tcp 78.198.124.6:110. 110 is pop3. Is this normal behaviour?

June 22, 2021

In reply to sysrqb

Permalink

> this relay's operator chose port 110

These should be noted also:
- https://community.torproject.org/relay/setup/#questions-you-should-clar… -- "We recommend port 443 if that is not used by another daemon on your server already. ORPort 443 is recommended because it is often one of the few open ports on public WIFI networks. Port 9001 is another commonly used ORPort."
- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorFAQ#how-can-i-… -- "Expose your Tor relay on port 443 (HTTPS) so that people whose firewalls restrict them to HTTPS can still get to it. Also, you should expose your directory mirror on port 80 (that even works if Apache is already listening there; but not working for a bridge)."
- https://2019.www.torproject.org/docs/faq.html.en#FirewallPorts
- https://community.torproject.org/relay/setup/bridge/debian-ubuntu/ -- "Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port."
- https://blog.torproject.org/comment/1620#comment-1620 -- "There are also rumors that some of Iran is blocking port 443, so putting your Tor server on strange ports is actually helpful for that too."

June 10, 2021

Permalink

  1. // If a window is destroyed, and an incognito session existed, see if it still does.<br />
  2. detect_incognito_destruction: async function() {<br />
  3. if (state.incognito_session_exists) {<br />
  4. if (!(await any_incognito_windows())) {<br />
  5. state.incognito_session_exists = false;<br />
  6. this.onIncognitoDestruction();<br />
  7. }<br />
  8. }<br />
  9. },

this is null
during New Identity

June 22, 2021

In reply to sysrqb

Permalink

'this' in 'this.onIncognitoDestruction()'

Yes, we've received many questions and comments about this decision. I didn't know about that thread, but I see other people already explained our position and why took this path.

June 21, 2021

In reply to sysrqb

Permalink

@sysrqb An explanation like that or clearer should be on the app store pages because the app stores are where new mobile users ultimately decide whether to install it or not, and it's where most mobile users complain. Don't let ideas for FAQ answers languish in some blog comment.

June 23, 2021

In reply to sysrqb

Permalink

Many questions you haven't bothered to answer and now can't even be bothered to find the thread? Does this mean ALL Android users will always be getting tracked because you can't bother to remove it? Do trackers get to see what hidden services we visit?

No, the trackers are disabled. Zero information about your browsing behavior should leave your device. If anyone finds this is not the case, then that is a bug and we will fix it. However, the fact that we didn't completely remove the trackers in the app does not mean they are enabled.

June 15, 2021

Permalink

This error appeared in a red box above this blog post when I posted a comment:

Deprecated function: Function create_function() is deprecated in GeSHi->_optimize_regexp_list_tokens_to_string() (line 4698 of vendor/geshi/geshi/src/geshi.php).

June 15, 2021

Permalink

Tor as covered by journalists. Hey ggus, add this to https://www.torproject.org/press/ :

Shift - Living in the Digital Age, 2021-06-11
Deutsche Welle (DW)
about the darknet and Tor Project
https://www.dw.com/en/shift-living-in-the-digital-age/av-55987407

See also:
DW's director general, Peter Limbourg, replies to how traditional media organizations can navigate digitalization and social media.
https://www.dw.com/en/dws-director-general-we-have-all-the-opportunitie…