New Release: Tor Browser 10.0.2

by sysrqb | October 20, 2020

Tor Browser 10.0.2 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 78.4.0esr and NoScript to 11.1.3. This release includes important security updates to Firefox.

Note: Now Javascript on the Safest security level is governed by NoScript again. It was set as false when on Safest in 9.5a9. The javascript.enabled preference was reset to true for everyone using Safest beginning in Tor Browser 10.0 and you must re-set it as false if that is your preference.

The full changelog since Tor Browser 10.0.1 is:

  • Windows + OS X + Linux
    • Update Firefox to 78.4.0esr
    • Update NoScript to 11.1.3
    • Bug 40192: Backport Mozilla Bug 1658881
    • Translations update
  • Linux

Comments

Please note that the comment area below has been archived.

October 21, 2020

In reply to sysrqb

Permalink

I sad

October 20, 2020

Permalink

On safest, "Donate Now" on about:tor is not visible. To test, change security level and refresh the page.

What do you mean? Bridges are preserved if you automatically update, so you don't need to do anything.

If you want to back up custom bridges you pasted in your Tor preferences, then open the preferences and copy them. Hamburger menu --> Preferences --> Tor --> Bridges. That GUI saves them in your torrc file.

However, if you use Tails, bridges are erased every time you shut down the OS. That could help or harm you depending on the fingerprintability of your hardware and whether you are mobile.

October 20, 2020

Permalink

What about the top recent 0-day vulnerability with "external Fonts"? (0-day vulnerability via fonts - normally may contain PNG injections that can be specially prepared for evil; allegedly this vulnerability is already actively used!)
Does it affect this version??? Does NoScript prevent the issue or we have to use "browser.display.use_document_fonts" to stay safe???

PS. details: https://www.opennet.ru/opennews/art.shtml?num=53922

October 20, 2020

Permalink

Requesting a new bridge does not prevent websites from loading in the background. The "Request a new bridge" button should work like a killswitch and prevent any background connections so the ISP can't know that someone is using tor. It'd also be nice to have a "reconnect to bridge" button because the only way to make tor + bridge work on an unstable internet without tor traffic being exposed to the ISP is to restart the whole browser which is annoying.

If you don't want your ISP to know that you're using Tor, then configure a bridge when you open Tor Browser for the first time after installing but before the browser window opens and makes connections. Do this by clicking Configure on the Tor Launcher window. If you skipped that and connected to a guard node, you already made it known that you're using Tor. Once the browser is open, then you can request a new, different bridge if you want to in Preferences.

The tor daemon tries to reconnect to the Tor network using your Tor preferences whenever a torified program such as Tor Browser tries to re-establish a connection. You don't need a button. Watch the circuit diagram in your address bar on each tab.

It sounds like you are misunderstanding several things. Please review the Support website, Tor Browser manual, old General FAQ, and open the address about:tor and click the onion circle in the top left.

October 20, 2020

Permalink

Why the Android version asks for new permissions?

By the way, comments here often don't work without JavaScript.

October 21, 2020

Permalink

"Tor Browser 10.0.1 (based on Mozilla Firefox 78.3.0esr) (64-bit)" does not update to 10.0.2 . It answers with "Tor Browser is up to date". The initial installation was done with 'torbrowser-install-win64-9.0.9_en-US.exe'. Afterwards it was always updated to each latest release. But now it fails. Known issue?

October 21, 2020

Permalink

Did not automatically or manually update from within the app. I had to download and install.

October 21, 2020

Permalink

Hi!
Automatic updater does not seem to work on Linux (Debian and Whonix) as it usually does. I am stuck on Tor browser 10.0.1.

If I try to update manually (Burger Menu-> "Help" -> "About Tor Browser"), Tor Browser says: "Tor Browser is up to date".

This never occurred before.

Cheers.

October 21, 2020

Permalink

On Oracle Linux 7 (64 bit) it complains about not being able to install the latest version (even though it is indeed the latest version).

October 21, 2020

Permalink

Hello, I have had this problem for about a month. I have tried various solutions but none were effective. Please, if you help me, I appreciate..

Nombre del evento de problema: APPCRASH
Nombre de la aplicación: firefox.exe
Versión de la aplicación: 78.3.0.7427
Marca de tiempo de la aplicación: 00000000
Nombre del módulo con errores: RPCRT4.dll
Versión del módulo con errores: 6.1.7600.16385
Marca de tiempo del módulo con errores: 4a5be035
Código de excepción: c0000005
Desplazamiento de excepción: 0000000000049518
Versión del sistema operativo: 6.1.7600.2.0.0.256.48
Id. de configuración regional: 11274
Información adicional 1: c44b
Información adicional 2: c44bb8e579ee3565939a4f25524d7059
Información adicional 3: c344
Información adicional 4: c344e560ffdc86336feb659194704a5f

October 21, 2020

Permalink

Hello, I have had this problem for about a month. I have tried various solutions but none were effective. Please, if you help me, I appreciate..

Nombre del evento de problema: APPCRASH
Nombre de la aplicación: firefox.exe
Versión de la aplicación: 78.3.0.7427
Marca de tiempo de la aplicación: 00000000
Nombre del módulo con errores: RPCRT4.dll
Versión del módulo con errores: 6.1.7600.16385
Marca de tiempo del módulo con errores: 4a5be035
Código de excepción: c0000005
Desplazamiento de excepción: 0000000000049518
Versión del sistema operativo: 6.1.7600.2.0.0.256.48
Id. de configuración regional: 11274
Información adicional 1: c44b
Información adicional 2: c44bb8e579ee3565939a4f25524d7059
Información adicional 3: c344
Información adicional 4: c344e560ffdc86336feb659194704a5f

RPCRT4.dll is the Remote Procedure Call (RPC) API, used by Windows applications for network and Internet communication. source many of the errors from your log are also associated with dllhost.exe

Is windows updated? You can try removing/installing dotnet 4.0 or such, that might fix it.

October 21, 2020

Permalink

how to turn off animations/effects like it was with toolkit.cosmeticAnimations.enabled;false in previous version of firefox?

Interesting, wouldn't it be a good idea to add an entropy warning to about:config settings that aren't covered? Also including something similar to TorZillaPrint (but more user friendly) into the browser rather than github that covers all these things, would seem like a good idea.

> wouldn't it be a good idea to add an entropy warning to about:config settings

Not practical: prefs come and go all the time. Long term the strategy would be to make RFP less susceptible to external factors - e.g. some RFP patches bypass/ignore prefs. Canvas spoofing, for example, doesn't expose the canvas to extensions.

That said, there's an "easier" way: lock extensions to only those bundled (I'd like to see this TBH, in release and unlocked for alpha), lock out about:config and ignore user.js + auto config on start. Hide everything in preferences needed to be hidden. But I don't think anyone wants to go down that road

That said, I think there are other more generic things that could be done: such as a warning for about:config that can't be disabled: not the "I accept the risk" warning that can be dismissed: I mean a bar across the top that says "Tor Browser says here be dragons - with a RESET button". And in the addons panel it could do the same re a warning. In preferences, some items could be tagged as "don't play with this".

I personally have never ever seen any message **in** Tor Browser that says not to mess with settings and not to install extensions - so NFI how new users are supposed to know. There's a at least a couple of open tickets dealing with these

I was thinking something like, a status page, perhaps included in about:tor that gives a basic status to show how unique your browser is, by loading something similar to TorZillaPrint, and give the user an easy way to fix the problems, disable add-ons, reset specific settings, etc.

It would seem to make sense to rather make the browser 'safe' by design rather than having expectations of users. I don't think it's a good idea to restrict the user, for example, I have to use many tweaks that likely make my browser more unique due to disabilities.

Just an example of some random ideas (have many). Load the web content, and only then, allow modifications to the content whilst disabling javascript, XHR connections, etc. These things cause breakage, but at least they would enable safer browsing.

Always a good idea to have more warnings. Though the adage of teaching 'why' and 'how' not just saying 'no', is a good one.

Thank you for the detailed reply.

October 21, 2020

Permalink

Why does a blog page here never stops auto reloading after posting a comment? Opening a new tab with the page doesn't help either. Also, comment form is not shown while the page is in this auto reload zombie mode. This behaviour has been going on for over 2-3 months now. JavaScript is disabled on my side.

That shouldn't be happening. Are you in safest mode? Any add-ons enabled?

about:config

accessibility.blockautorefresh;true
javascript.enabled;false

Does it fix with any of these options?

October 21, 2020

Permalink

Is the privacy friendly elemination of Firefox forced sending to
firefox.settings.services.mozilla.com
in Torbrowser applicable for everyone in vanilla Firefox?

Would be very nice.

October 22, 2020

Permalink

When you finally fix that bug with button that switches security levels??? It still doesn't work so we always forced to go in about:config to switch these levels.

October 28, 2020

In reply to sysrqb

Permalink

I think he means the fact that you can't change security levels anymore without going to about:preferences

October 22, 2020

Permalink

If you're going to keep using geoip at least update it. it's been how many months since maxmind changed their system just to opt-out california ip? in the meantime many of tor network nodes have changed jurisdiction.

you have other options for sourcing geoip files.. some of which require less processing than maxmind mmdb

fix it this isn't hard

October 22, 2020

Permalink

I am unable to locate the torrc file at all with this version. Although Tor seems to be listening on 9150, I would want to change that to a static port of choice, for instance. All that I am seeing in my (Catalina - 10.15.7 & Tor 10.0.2) `Applications/Tor Browser.app/Contents/Resources/TorBrowser/Tor` are the below files:

  1. -rw-rw----@ 1 admin admin 4913550 Oct 22 13:11 geoip<br />
  2. -rw-rw----@ 1 admin admin 3156350 Oct 22 13:11 geoip6<br />
  3. -rwxrwx---@ 1 admin admin 735 Oct 22 13:11 tor*<br />
  4. -rw-rw----@ 1 admin admin 1232 Oct 22 13:11 torrc-defaults

the torrc-defaults is nothing like what is mentioned here

I would also want to be able to say set the control port password, which I used to be able to do earlier with the torrc.

Where do I find the torrc file ??
Also, if it helps the only 2 locations I find any file by the name torrc on my system are these:

  1. `/System/Volumes/Data/Users/admin/Library/Application\ Support/TorBrowser-Data/Tor/`
  2. `/Users/admin/Library/Application\ Support/TorBrowser-Data/Tor/`

https://support.torproject.org/tbb/tbb-editing-torrc/

Your 1. or 2. are likely deep within a symbolic link to the other, represented by an l as the first letter of the permission lines output by ls -l and an arrow near the end of the line showing where the link points. Notice they are identical after /System/Volumes/Data/. Tor Browser.app is the installer that you downloaded whereas ~/Library contains the directory where you installed it. Look in ~/Library as the support answer explains.

That's what the support link suggests.

On macOS:

The torrc is in the Tor Browser Data directory at ~/Library/Application Support/TorBrowser-Data/Tor.
Note the Library folder is hidden on newer versions of macOS. To navigate to this folder in Finder, select "Go to Folder..." in the "Go" menu.
Then type "~/Library/Application Support/" in the window and click Go.

This ~/Library/Application Support/TorBrowser-Data/Tor however does not have the torrc!

October 22, 2020

Permalink

Eure Version ab 10. wird von AVAST als Virus eigeordnet und damit ist TOR-Browser unbenutzbar.

Ist gerade nur einmal möglich, da 9er Version zurückgespielt, aber blödes TOR(Firfox)update zwangsweise gleich TOR unbrauchbar macht!

Hilfe nirgends sichtbar, geschweige durch neue TOR-Version behoben. Danke AVAST, die auch mail.de blocken! Datenverrat ab Legislativen für und von Unternehmen in Deutschland leider LEGITIMIERT!

https://support.torproject.org/de/tbb/tbb-10/
https://support.torproject.org/de/tbb/antivirus-false-positive/

Have you updated the virus definition files of your antivirus scanner? Some scanners are not able to recognize new software until a few days after the software is released and you update your scanner. You commented on October 22, and Tor Browser 10.0.2 was released on October 20.

October 23, 2020

Permalink

With version 10.0.2 I am having lots of crashes (2/3 per day) by just opening links in new tabs (wheel button).
This didn't happen in 10.0.1 and before. It was a few years I didn't see crashes on Tor.
From the comments looks like it happens only to me / my configuration (win10 updated).
I also noticed that https kicks in randomly on .onion sites: shouldn't make sense, isn't it?

We haven't received other reports of crashing with this version. Do you see any consistency in when it happens? Does it crash on specific sites? You can reproduce the crash if you visit the site again?

October 26, 2020

In reply to sysrqb

Permalink

Nope about the crash. Some sessions are affected and some don't. I used to set win to sleep when not in use, now I shutdown and restart and up to now had no more crashes.

Still crashes each time I use Tor. Only happens on click on link with middle mouse button to open a new tab. But totally random, couldn't find a pattern. Really annoying.

October 23, 2020

Permalink

Hallo Torproject,
is Torbrowser needing "network.proxy.enable_wpad_over_dhcp:true" or is this a problem of privacy?

October 24, 2020

Permalink

The javascript note is very confusing.
>Now Javascript on the Safest security level is governed by NoScript again. It was set as false when on Safest in 9.5a9. The javascript.enabled preference was reset to true for everyone using Safest beginning in Tor Browser 10.0 and you must re-set it as false if that is your preference.
>and you must re-set it as false if that is your preference.
>if that is your preference.
This is worded strangely.
1. Am I not "really" preferring javascript to be disabled in Security Level: Safest?
2a. Wouldn't ticking javascript.enabled to 'false' be a potential vector for deanonymization?
2b. Or are you saying that this about:config option has been made irrelevant due to the privileging of NoScript settings completely over those of the browser?

This is saying that NoScript controlling whether javascript is executed should be as safe as disabling javascript via the |javascript.enabled| pref in about:config. We know there are Tor Browser users who use the Safest level but they selectively enable javascript on some sites. This is not a behavior Tor Browser should prevent. However, if you never want javascript enabled on any site or you don't trust NoScript, then you may change |javascript.enabled| in about:config.

This announcement in the blog post was needed because when we originally forced disabling javascript via the preference on the Safest level, we did not save if Tor Browser had |javascript.enabled| as |false| already. Therefore, now when moving users back to disabling javascript via NoScript, all users must be moved because Tor Browser doesn't remember if you previously manually set the preference.

October 25, 2020

Permalink

It always starts with http, 9.54 has no problem with starting with https. Why is it apparently impossible to start with https in Tor10.x.x?

October 27, 2020

In reply to sysrqb

Permalink

Any webpage i enter in the adressline, like example.com, it says http in ver. 10.0x. In ver 9.54 it always says https.

October 27, 2020

In reply to sysrqb

Permalink

What happens if i use?:
dom.security.https_only_mode = true
dom.security.https_only_mode_ever_enabled = true
dom.security.https_only_mode.upgrade_local = true
dom.security.https_only_mode.upgrade_onion = true

If i do and open qrmfuxwgyzk5jdjz.onion, i.e., it says:Secure Connection Unavailable - You’re browsing in HTTPS-Only Mode and i have to "accept the risk", because qrmfuxwgyzk5jdjz.onion is http-only. But it doesn´t do the same for http-only-non-onion sites.

October 25, 2020

Permalink

Cannot comment here with 10.0.2, it goes into an endless loop, but 9.54 has no problem. To the best of my knowledge, all my settings are the same in both versions.

October 27, 2020

In reply to sysrqb

Permalink

Yes, but in both versions, and i have fiddled with that and it makes no difference. Still might be a problem with some obscure setting though.

October 30, 2020

Permalink

Change text "Firefox" to "Tor Browser" in "Unable to connect" error message

"Unable to connect"
"Firefox can't establish a connection to the server at"
"www.[domain].com"
Blue Mozilla small dinosaur holding two plugs.
"Try Again" blue button
[Three bullets] The third one correctly says: "If your computer or network is protected by a firewall or proxy, make sure that Tor Browser is permitted to access the Web."

November 04, 2020

Permalink

I have noticed that sometimes on Onion services (v3) the back-up guard node takes over from the guard. I have not seen this happen on non-onion services.

Have you any thoughts on why this is happening?

Thank you.