New Release: Tor Browser 10.0.2

Tor Browser 10.0.2 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 78.4.0esr and NoScript to 11.1.3. This release includes important security updates to Firefox.

Note: Now Javascript on the Safest security level is governed by NoScript again. It was set as false when on Safest in 9.5a9. The javascript.enabled preference was reset to true for everyone using Safest beginning in Tor Browser 10.0 and you must re-set it as false if that is your preference.

The full changelog since Tor Browser 10.0.1 is:

  • Windows + OS X + Linux
    • Update Firefox to 78.4.0esr
    • Update NoScript to 11.1.3
    • Bug 40192: Backport Mozilla Bug 1658881
    • Translations update
  • Linux

What do you mean? Bridges are preserved if you automatically update, so you don't need to do anything.

If you want to back up custom bridges you pasted in your Tor preferences, then open the preferences and copy them. Hamburger menu --> Preferences --> Tor --> Bridges. That GUI saves them in your torrc file.

However, if you use Tails, bridges are erased every time you shut down the OS. That could help or harm you depending on the fingerprintability of your hardware and whether you are mobile.

Anonymous

October 20, 2020

Permalink

What about the top recent 0-day vulnerability with "external Fonts"? (0-day vulnerability via fonts - normally may contain PNG injections that can be specially prepared for evil; allegedly this vulnerability is already actively used!)
Does it affect this version??? Does NoScript prevent the issue or we have to use "browser.display.use_document_fonts" to stay safe???

PS. details: https://www.opennet.ru/opennews/art.shtml?num=53922

Anonymous

October 20, 2020

Permalink

Requesting a new bridge does not prevent websites from loading in the background. The "Request a new bridge" button should work like a killswitch and prevent any background connections so the ISP can't know that someone is using tor. It'd also be nice to have a "reconnect to bridge" button because the only way to make tor + bridge work on an unstable internet without tor traffic being exposed to the ISP is to restart the whole browser which is annoying.

If you don't want your ISP to know that you're using Tor, then configure a bridge when you open Tor Browser for the first time after installing but before the browser window opens and makes connections. Do this by clicking Configure on the Tor Launcher window. If you skipped that and connected to a guard node, you already made it known that you're using Tor. Once the browser is open, then you can request a new, different bridge if you want to in Preferences.

The tor daemon tries to reconnect to the Tor network using your Tor preferences whenever a torified program such as Tor Browser tries to re-establish a connection. You don't need a button. Watch the circuit diagram in your address bar on each tab.

It sounds like you are misunderstanding several things. Please review the Support website, Tor Browser manual, old General FAQ, and open the address about:tor and click the onion circle in the top left.

Anonymous

October 21, 2020

Permalink

"Tor Browser 10.0.1 (based on Mozilla Firefox 78.3.0esr) (64-bit)" does not update to 10.0.2 . It answers with "Tor Browser is up to date". The initial installation was done with 'torbrowser-install-win64-9.0.9_en-US.exe'. Afterwards it was always updated to each latest release. But now it fails. Known issue?

Anonymous

October 21, 2020

Permalink

Hi!
Automatic updater does not seem to work on Linux (Debian and Whonix) as it usually does. I am stuck on Tor browser 10.0.1.

If I try to update manually (Burger Menu-> "Help" -> "About Tor Browser"), Tor Browser says: "Tor Browser is up to date".

This never occurred before.

Cheers.

Anonymous

October 21, 2020

Permalink

On Oracle Linux 7 (64 bit) it complains about not being able to install the latest version (even though it is indeed the latest version).

Anonymous

October 21, 2020

Permalink

Hello, I have had this problem for about a month. I have tried various solutions but none were effective. Please, if you help me, I appreciate..

Nombre del evento de problema: APPCRASH
Nombre de la aplicación: firefox.exe
Versión de la aplicación: 78.3.0.7427
Marca de tiempo de la aplicación: 00000000
Nombre del módulo con errores: RPCRT4.dll
Versión del módulo con errores: 6.1.7600.16385
Marca de tiempo del módulo con errores: 4a5be035
Código de excepción: c0000005
Desplazamiento de excepción: 0000000000049518
Versión del sistema operativo: 6.1.7600.2.0.0.256.48
Id. de configuración regional: 11274
Información adicional 1: c44b
Información adicional 2: c44bb8e579ee3565939a4f25524d7059
Información adicional 3: c344
Información adicional 4: c344e560ffdc86336feb659194704a5f

Anonymous

October 21, 2020

Permalink

Hello, I have had this problem for about a month. I have tried various solutions but none were effective. Please, if you help me, I appreciate..

Nombre del evento de problema: APPCRASH
Nombre de la aplicación: firefox.exe
Versión de la aplicación: 78.3.0.7427
Marca de tiempo de la aplicación: 00000000
Nombre del módulo con errores: RPCRT4.dll
Versión del módulo con errores: 6.1.7600.16385
Marca de tiempo del módulo con errores: 4a5be035
Código de excepción: c0000005
Desplazamiento de excepción: 0000000000049518
Versión del sistema operativo: 6.1.7600.2.0.0.256.48
Id. de configuración regional: 11274
Información adicional 1: c44b
Información adicional 2: c44bb8e579ee3565939a4f25524d7059
Información adicional 3: c344
Información adicional 4: c344e560ffdc86336feb659194704a5f

RPCRT4.dll is the Remote Procedure Call (RPC) API, used by Windows applications for network and Internet communication. source many of the errors from your log are also associated with dllhost.exe

Is windows updated? You can try removing/installing dotnet 4.0 or such, that might fix it.

Anonymous

October 21, 2020

Permalink

how to turn off animations/effects like it was with toolkit.cosmeticAnimations.enabled;false in previous version of firefox?

Interesting, wouldn't it be a good idea to add an entropy warning to about:config settings that aren't covered? Also including something similar to TorZillaPrint (but more user friendly) into the browser rather than github that covers all these things, would seem like a good idea.

> wouldn't it be a good idea to add an entropy warning to about:config settings

Not practical: prefs come and go all the time. Long term the strategy would be to make RFP less susceptible to external factors - e.g. some RFP patches bypass/ignore prefs. Canvas spoofing, for example, doesn't expose the canvas to extensions.

That said, there's an "easier" way: lock extensions to only those bundled (I'd like to see this TBH, in release and unlocked for alpha), lock out about:config and ignore user.js + auto config on start. Hide everything in preferences needed to be hidden. But I don't think anyone wants to go down that road

That said, I think there are other more generic things that could be done: such as a warning for about:config that can't be disabled: not the "I accept the risk" warning that can be dismissed: I mean a bar across the top that says "Tor Browser says here be dragons - with a RESET button". And in the addons panel it could do the same re a warning. In preferences, some items could be tagged as "don't play with this".

I personally have never ever seen any message **in** Tor Browser that says not to mess with settings and not to install extensions - so NFI how new users are supposed to know. There's a at least a couple of open tickets dealing with these

I was thinking something like, a status page, perhaps included in about:tor that gives a basic status to show how unique your browser is, by loading something similar to TorZillaPrint, and give the user an easy way to fix the problems, disable add-ons, reset specific settings, etc.

It would seem to make sense to rather make the browser 'safe' by design rather than having expectations of users. I don't think it's a good idea to restrict the user, for example, I have to use many tweaks that likely make my browser more unique due to disabilities.

Just an example of some random ideas (have many). Load the web content, and only then, allow modifications to the content whilst disabling javascript, XHR connections, etc. These things cause breakage, but at least they would enable safer browsing.

Always a good idea to have more warnings. Though the adage of teaching 'why' and 'how' not just saying 'no', is a good one.

Thank you for the detailed reply.

Anonymous

October 21, 2020

Permalink

Why does a blog page here never stops auto reloading after posting a comment? Opening a new tab with the page doesn't help either. Also, comment form is not shown while the page is in this auto reload zombie mode. This behaviour has been going on for over 2-3 months now. JavaScript is disabled on my side.

That shouldn't be happening. Are you in safest mode? Any add-ons enabled?

about:config

accessibility.blockautorefresh;true
javascript.enabled;false

Does it fix with any of these options?

Anonymous

October 21, 2020

Permalink

Is the privacy friendly elemination of Firefox forced sending to
firefox.settings.services.mozilla.com
in Torbrowser applicable for everyone in vanilla Firefox?

Would be very nice.

Anonymous

October 22, 2020

Permalink

When you finally fix that bug with button that switches security levels??? It still doesn't work so we always forced to go in about:config to switch these levels.

Anonymous

October 22, 2020

Permalink

If you're going to keep using geoip at least update it. it's been how many months since maxmind changed their system just to opt-out california ip? in the meantime many of tor network nodes have changed jurisdiction.

you have other options for sourcing geoip files.. some of which require less processing than maxmind mmdb

fix it this isn't hard

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

5 + 12 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.