New Release: Tor Browser 10.0.6

Tor Browser 10.0.6 is now available from the Tor Browser download page and also from our distribution directory.

This version brings back a functioning meek bridge, and also allows users to automatically get bridges within Tor Browser again.

The full Desktop and Android changelogs since Tor Browser 10.0.5 is:

  • All Platforms
    • Bug 40175: Update obfs4proxy's TLS certificate public key pinning
Jason

December 09, 2020

Permalink

next update can you add flash player i cant download because of the admine right please that we be very help full for me thank you.

Not just Tor Browser; all major browsers. "In July 2017, Adobe announced that it will end support for Flash Player on December 31, 2020, and continued to encourage the use of open HTML5 standards in place of Flash. All major web browsers plan to officially remove Adobe Flash Player on December 31, 2020, and Microsoft will be removing it from the Windows OS entirely in January 2021 via Windows Update. Apple’s latest MacOS, Big Sur, which was released November 12, 2020, removed software compatibility for Adobe Flash Player." Apple never has supported Flash on iOS.

But about Tor Browser, to king20,
https://support.torproject.org/tbb/tbb-12/
https://support.torproject.org/faq/staying-anonymous/
https://2019.www.torproject.org/docs/faq.html.en#TBBFlash
https://2019.www.torproject.org/docs/faq.html.en#AmITotallyAnonymous

Admin rights are not controlled by Tor Browser. They are OS configurations controlled by your system administrators. If you're trying to play games, look for websites that build-in Flash emulators based on JavaScript and HTML5, or look for games based on WebGL or the Unity game engine rather than Flash. Or use a less restrictive device (secondhand laptop), or be helpful to your local sysadmin (which you should do anyway), or work in the I.T. department, or learn to (ethically) hack or social engineer.

Tor is built the way it is to protect it's users from leaking their I P address also to protect from tracking and finger printing techniques.. Flash has always had vulnerabilities and it could expose a Tor user by trackers and user i p address.. also it has now been removed by it's own creators you can find further info https://www.adobe.com/products/flashplayer/end-of-life.html

Jason

December 09, 2020

Permalink

I don't understand why bother checking the certificates. I mean, why would the appropriate response to Microsoft Azure showing an (apparently) invalid certificate be to fail mysteriously and frustrate the user? I don't see it. What if somebody is doing a MITM-attack on Azure, why not try to connect to the "meek" server anyway? It's not as if we are certain Microsoft doesn't log who uses "meek" and gives that data to governments.

This is equivalent to "let any attacking government see meek (and moat!) in addition to Microsoft". If the attacking government is the US or related, there's effectively no difference. But if the attacking government is, say, Iran, there's an enormous difference. (Iran has specifically performed a MITM attack that got foiled by certificate pinning before, in Google Chrome.)

The certificates affect moat as well. Moat needs TLS, but if meek doesn't, then meek code should be decoupled from TLS. Maybe Azure refuses non-TLS connections?

Jason

December 09, 2020

Permalink

Good work team. Hope to see Apple Silicon support soon that would be great. Tor Browser runs well on Rosetta 2 most of the time but some onion pages keep giving a "crashed tab" error over and over. Those same pages work fine on Intel Mac. No way to make them work on the M1 chip. Hope this feedback is helpful. Looking forward to Apple Silicon support in future!

Jason

December 10, 2020

Permalink

Are referrers ever gonna be scrubbed from the HTTP header?

The main security implications are:

1.) If a user leaves a private, non-public .onion page of which the owners do not want anyone to know about, the next page he visits can discover that address - completely undermining the whole v3 hidden service overhaul, and the concept of "hidden" services.
2.) It makes tracking users much easier.

Opinions?

Jason

December 11, 2020

Permalink

Will uploading files to sites work? Now, when choosing files to upload, nothing happens. You can check on the sites sendpace, postimage and others. In Firefox this feature works, but in Tor browser there is no reaction to file selection.