New Release: Tor Browser 10.0.8

Tor Browser 10.0.8 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox for desktops to 78.6.1esr and Firefox for Android to 84.1.4. This version resolves instability on Apple macOS devices with the new M1 processor.

The full changelog since Desktop and Android Tor Browser 10.0.7 is:

  • All Platforms
    • Update NoScript to 11.1.7
  • Windows + OS X + Linux
    • Update Firefox to 78.6.1esr
  • Android
    • Update Firefox to 84.1.4
  • OS X
    • Bug 40262: Browser tabs crashing on the new Macbooks with the M1 chip
  • Build System
    • Android
      • Bug 40195: repo.spring.io is not usable anymore
Anonymous

January 13, 2021

Permalink

I had about five blue pop-ups from Noscript about potential DoS javascripts on the day before you released this version. I don't know if it was just the news sites I had open (mainstream sources) or the number of tabs (over 100). My security level was "safer". Each page had lots of ads of course, too. Usually, the only pop-ups I have are for allowing media.

I remember "potential DoS", but I don't remember if all of them said "potential". They looked like the cross-site scripting alert. The log textarea on the pop-ups was much bigger, and they had the 4 XSS choices. Block, Always block, Allow, Always allow. I'm mostly confident they were from NoScript, but it's the first time I can remember noticing "DoS" in them.

Anonymous

January 13, 2021

Permalink

you should probably mention this fixes a use-after-free bug in Firefox that was rated by them as critical (CVE-2020-16044)

I considered mentioning it. The affected code (WebRTC) is not used in Tor Browser, so there was a trade-off between mentioning it and explaining that Tor Browser was not affected, and, therefore, hoping that including it wouldn't confuse people more; or just leaving it out of the post.

Anonymous

January 13, 2021

Permalink

Issue 40081 "Letterboxing since 32220 affected by layout.css.devPixelsPerPx" issue was introduced in 9.5a2 and has continued to persist in each new release.

Do you mean bug 40237 explained in the blog post for tor 0.4.5.3-rc? In version names, "rc" means "release candidate". It's being tested before it becomes a standard release version. After a tor daemon version drops the "rc" and is released as a standard version, it will be bundled into a release of Tor Browser.

Refresh your copy of the key. Read the updated Support FAQ:
https://support.torproject.org/tbb/how-to-verify-signature/

Some keys on public keyservers were flooded with signing signatures in 2019. Until the ecosystem recovers or a patched GPG is standard in most places, some users are serving keys via methods they have more control of.
https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-cer…
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html

Anonymous

January 15, 2021

Permalink

I have been getting this message for a few weeks now when I choose New Identity:
Torbutton: Unexpected error during storage clearing: Error: Error deleting data with flags 526280: 256
I just click OK and everything is normal but it's annoying.

Anonymous

January 15, 2021

Permalink

Just tried Duck to find "Ted Cruz testimony house hearings" had some difficulty, then installed Tor and tried again. Several pics showed up of Cruz testifying....when I selected one, a message popped up "our systems have detected unusual traffic from your computer network. Please try your request again later. (Then, in blue, this comment) Why did this happen?" I hesitated but went ahead and clicked on the Why? and here is what popped up...

This page appears when GOOGLE automatically detects requests coming from your computer network which appear to be in violation of the TERMS OF SERVICE, The block will expire shortly after those requests stop. This traffic may have been sent by malicious software, a browser plug-in or a script that sends automated requests. If you share your network
connection, ask your Administrator for help - a different computer using the same IP address may be responsible. LEARN MORE , Sometimes you may see this page if you are using advanced terms that robots are known to use or sending requests very quickly.

My Question...it seems Google/YouTube just blocked me, even though I was using Tor??
Any suggestions?

Anonymous

January 15, 2021

Permalink

As a TBB Linux user, I haven't been able to connect to Tor with obfs4 since 10.06. It stops at 25% retreiving network information and only meek works. Whonix doesn't connect at all. Connecting directly isn't an option :( These are the logs:
1/16/21, 00:11:59.514 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/16/21, 00:11:59.514 [NOTICE] Opening Socks listener on 127.0.0.1:9150
1/16/21, 00:11:59.514 [NOTICE] Opened Socks listener on 127.0.0.1:9150
1/16/21, 00:12:00.478 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
1/16/21, 00:12:00.479 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
1/16/21, 00:12:00.558 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
1/16/21, 00:12:00.597 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay
1/16/21, 00:12:00.665 [NOTICE] Bootstrapped 15% (handshake_done): Handshake with a relay done
1/16/21, 00:12:00.666 [NOTICE] Bootstrapped 20% (onehop_create): Establishing an encrypted directory connection
1/16/21, 00:12:00.701 [NOTICE] Bootstrapped 25% (requesting_status): Asking for networkstatus consensus
1/16/21, 00:12:04.637 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
1/16/21, 00:12:04.637 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/16/21, 00:12:04.637 [WARN] Pluggable Transport process terminated with status code 0
1/16/21, 00:12:05.487 [NOTICE] Delaying directory fetches: DisableNetwork is set.

Please help.

Anonymous

January 15, 2021

Permalink

Colors still mostly don't work. This text field I'm typing in has a green background, which is probably what I told it to do but white text, which I told it not to do. This has been broken awhile, as the last of the 7.x builds worked as expected but early 8.x builds needed to be fidgeted with repeated before honoring the browser.display.document_color_use setting. Soon after, it stopped honoring any setting but its own, so much of my TOR-browsing is done in the 7.x installer I could find.

Please continue looking into this.

Anonymous

January 17, 2021

Permalink

one thing that I'm missing: the security-level-slider should be independently working for different opened windows

Anonymous

January 17, 2021

Permalink

I get like five error popups after installing and trying to run the browser on windows 10. Anyone think they can help me.

Anonymous

January 19, 2021

Permalink

Hi,

I want to verify that the download of Tor Project Browser was true. I ran Kleopatra to verify the sign keys on the installer before downloading, but shouldn't there be sha256 available in the code signing certificate or online so I can verify using cmd certutil -hashfile (also new to gpg4win)? I'm on windows btw.

Thanks,
A noob

That information is published if you want it, but the PGP (using GPG4Win) is sufficient for verifying the authenticity and integrity of the installer. The sha256 has is available in the sha256sums-signed-build.txt file on the server. This file is signed like the installer, too. For example: https://dist.torproject.org/torbrowser/10.0.8/sha256sums-signed-build.t…

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

11 + 4 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.