New Release: Tor Browser 10.0.5

Updated on 27 November 2020: Android Tor Browser 10.0.5 is now available. (Originally published on 17 November)

Tor Browser 10.0.5 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox on desktops to 78.5.0esr, Fenix on Android to 83.1.0 and updates Tor to 0.4.4.6. This release includes important security updates to Desktop Firefox, and important security updates to Android Firefox.

Note: Android Tor Browser 10.0.5 is delayed until next week. In the future, new Tor Browser versions for Android and Desktop should be published at the same time.

The full changelog since Tor Browser 10.0.4 (Desktop) is:

  • Windows + OS X + Linux
    • Update Firefox to 78.5.0esr
    • Update Tor to 0.4.4.6
    • Bug 40212: Add new default obfs4 bridge

The full changelog since Tor Browser 10.0.4 (Android) is:

  • Android
    • Update Fenix to 83.1.0
    • Update Tor to 0.4.4.6
    • Bug 40212: Add new default obfs4 bridge
  • Build System
    • Android
      • Bug 40126: Update toolchains for Fenix 83
      • Bug 40126: Bump Node to 10.22.1 for mozilla83
      • Bug 40127: Update GeckoView to 83, android-components to 63.0.1, and Fenix to 83.0.0b2
      • Bug 40160: Update Fenix to 83.1.0, and android-components to 63.0.9
      • Bug 40211: Lower required build-tools version to 29.0.2
PETER

November 17, 2020

Permalink

To Tor,

TURN OFF all my updates, a bloody never ending constant stream of updates, more updates. Bugger off, I have loooked at the Tor settings and aparrently there is no turn off button, Mmm why am I not that surprised.

John.

Are you on Android? Because desktop is based on Firefox ESR and doesn't update more than about twice a month. If your comment is a taste of things to come for desktop, we'll be hearing more complaints like yours after desktop eventually migrates to Firefox's standard releases. Everyone better get used to saving their tab sessions as bookmarks.

PETER

November 17, 2020

Permalink

Thank you, Tor Project. After update, the browser opened to a purple tab, "Tor Browser has been updated," and the tab flap says "About Tor". Is it supposed to be purple? I was expecting the black layout that asks for donations.

I sure hope that when Desktop and Android are published at the same time that Desktop will still be able to access about:config.

Yes, the "Tor Browser has been updated" page is now remaining purple, even if the background on about:tor is black (or another color). Some users became concerned on a previous update when the "updated" page unexpectedly was black. We hope this change will provide continuity across versions. You can see the details at https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/40021

Regarding about:config, there aren't any plans for removing access on desktop.

Why has about:config been blocked on the android version? And why is there no longer any option to change the home page to blank on android? Not everyone is into the anarcho-grunge purple esthetic appearing on their phone every time they open their browser...lol

> why is there no longer any option to change the home page to blank on android?

I'm surprised there isn't. Big Tor logos can be a liability in the presence of authorities hostile to privacy.

Out of curiosity, is Android Tor Browser or Android Firefox or Fenix able to access about:config at this address? chrome://global/content/config.xhtml Desktop Firefox and Tor Browser has a new interface for about:config since some months ago, but its old interface is accessible at that address. I bookmarked the old interface because the new interface doesn't have the feature to sort columns.

PETER

November 17, 2020

Permalink

What means this entry:
firefox.settings.services.mozilla.com 443

in about:networking#http ?

Issue 40038 is closed and implemented. Remote Services will not be completely disabled because Firefox (and Tor Browser) rely on downloading some updated information from Mozilla. We do not recommend you completely disable Remote Settings.

PETER

November 18, 2020

Permalink

Nice.

PETER

November 18, 2020

Permalink

[11-18 09:51:46] Torbutton WARN: Version check failed! JSON parsing error: SyntaxError: JSON.parse: expected ',' or ']' after array element at line 19 column 1 of the JSON data

PETER

November 18, 2020

Permalink

Hi,
why is the Android release delayed? Is there any ticket explaining the problem?
Thanks

The delay was due to insufficient testing of the Android version. We simply needed additional time for testing the new version in an Alpha version before publishing it as a stable version.

PETER

November 18, 2020

Permalink

Official name is "Firefox for Enterprise", not "Firefox for Desktop", so this is "Tor Browser for Enterprise".

The purpose of notating a version as "Desktop" or "Android" is only distinguishing between the two general platforms. The goal is not distinguishing between the Extended Support Release ("for Enterprise") and Rapid Release ("Release"), therefore we describe these are Android Tor Browser and Desktop Tor Browser.

PETER

November 18, 2020

Permalink

What's with disabling the "picture-in-picture" feature for videos? It has to be reenabled via about:config. It can't be a security risk, surely?

PETER

November 18, 2020

Permalink

There is still the bug of DDG searches made in the address bar disappearing when hitting the back navigation button after visiting another website. Really annoying (I don't use the normal search bar, just the address bar for searches, like many people). Will this ever be fixed, or is it a firefox/mozilla bug/feature?

DDG still discloses the search query by showing it in the URL (submits the form via the GET method) on the TorBrowser's Safest security level (DDG's scripts are not allowed in NoScript). The workaround is to always search in the weaker TB security mode :(, or manually add DDG to the NoScript's Trusted sites before each search(!).
Consider adding DDG to the Trusted Sites list of NoScript.

No, that is not the case. The search query is shown in the url bar when using the Safest security level because DDG redirect the query from duckduckgo.com to html.duckduckgo.com, and that redirect changes the request from a POST to a GET. Subsequent queries on html.duckduckgo.com use POST. However, aside from potential shoulder-surfing, I don't see much benefit to using POST requests, especially given the usability problem it introduces as described by the OP.

I think its behavior now is fine. It was worse before letterboxing because those bars, which are sized by whichever windowing theme you happen to be using, gave your page area's dimensions a high-entropy fingerprint. Is your issue that the page area isn't centered vertically in the letterbox? That would be relatively easy to patch. Is your issue that you want the page area to fill the vertical space and adhere to letterbox increments? Then, the vertical size of the entire window would have to snap-decrease rather than the letterboxing in one tab.

Those bars don't really need to be used. The Menu Bar's features are in the 3-lines hamburger menu on the right-hand side, and the Bookmarks Toolbar is candy for shoulder surfers and makes your browser fingerprint stand out across every tab and every New Identity session. Instead, you could Customize the main toolbar and drag the button for the Bookmarks Menu onto the main toolbar, or you could open the Bookmarks Sidebar when you need it.

As far as I know, Tor Browser always has been able to play youtube videos in standard security mode. Changes were needed only in the higher security modes: safer and safest.

PETER

November 19, 2020

Permalink

Great!

PETER

November 19, 2020

Permalink

Thank you very much for your hard work. This time, I experienced something a bit strange, though perhaps accidental and unimportant.
1) While using 10.0.4, I saw the "A new Tor Browser update is available" balloon popped up.
2) I clicked "See what’s new" and came to this page.
3) I didn't click "Download Update" nor "Not Now" but was doing something else.
4) After a while I noticed that the only blue "Download Update" rectangle remain on the Browser's main window, the said balloon not having disappeared entirely nor remaining (redrawn) properly, but only the blue part remained.
5) I thought I'd update later, after backing up 10.0.4 just in case, so I ignore this blue "button", which eventually disappeared... or so I thought.
6) After a while I restarted TorBrowser 10.0.4, then updating started (perhaps I accidentally clicked "Download Update" in 5, though I didn't think so...). So from my point of view, this was a force-update to 10.0.5, without asking. So far I can't reproduce this behavior, though...

The above is essentially harmless, just that 10.0.4 was updated to 10.0.5, which I was going to do anyway. However, at least the "update is available" balloon is (was) not redrawn properly in some situation, when you don't close it explicitly by clicking "Not Now" and keep it floating for a while. That's what I think I experienced anyway. Just something cosmetic, I guess.

Drawing (showing) the blue "Download Update" part floating on the page is trivially easy via CSS, so if this is allwed and accepted by the end user, potentially a malicious web site can show the same blue "button" that looks like a button to update Tor Browser and let the user download something else. In reality, probably no one is tricked by that, though... Thanks again.

Yes, all updates are downloaded automatically and the update process is completed on the next start of the browser, only if the download completed successfully before you quit the browser during the previous session.

PETER

November 21, 2020

Permalink

Since updating on 17th many things do not work now. My bookmarks have disappeared. I am not able to get new bookmarks to add to the library either. How can I recover my book marks and adding facility?

PETER

November 28, 2020

Permalink

what is gitlab approval time? problematic email domain is excluded? I wait some days

I make this comment in blog post "From Trac into Gitlab for Tor" but it's not approved.