New Release: Tor Browser 10.0.2
Tor Browser 10.0.2 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox to 78.4.0esr and NoScript to 11.1.3. This release includes important security updates to Firefox.
Note: Now Javascript on the Safest security level is governed by NoScript again. It was set as false when on Safest in 9.5a9. The javascript.enabled preference was reset to true for everyone using Safest beginning in Tor Browser 10.0 and you must re-set it as false if that is your preference.
The full changelog since Tor Browser 10.0.1 is:
Comments
Please note that the comment area below has been archived.
Android version?
Android version?
The Android version is not…
The Android version is not ready.
I sad
I sad
When will Snowflake be ready…
When will Snowflake be ready for the stable _Tor Browser release?
Most likely some time next…
Most likely some time next year.
On safest, "Donate Now" on…
On safest, "Donate Now" on about:tor is not visible. To test, change security level and refresh the page.
Thanks https://gitlab…
Thanks
https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/40020
please back up the bridges
please back up the bridges
What do you mean? Bridges…
What do you mean? Bridges are preserved if you automatically update, so you don't need to do anything.
If you want to back up custom bridges you pasted in your Tor preferences, then open the preferences and copy them. Hamburger menu --> Preferences --> Tor --> Bridges. That GUI saves them in your torrc file.
However, if you use Tails, bridges are erased every time you shut down the OS. That could help or harm you depending on the fingerprintability of your hardware and whether you are mobile.
What about the top recent 0…
What about the top recent 0-day vulnerability with "external Fonts"? (0-day vulnerability via fonts - normally may contain PNG injections that can be specially prepared for evil; allegedly this vulnerability is already actively used!)
Does it affect this version??? Does NoScript prevent the issue or we have to use "browser.display.use_document_fonts" to stay safe???
PS. details: https://www.opennet.ru/opennews/art.shtml?num=53922
Requesting a new bridge does…
Requesting a new bridge does not prevent websites from loading in the background. The "Request a new bridge" button should work like a killswitch and prevent any background connections so the ISP can't know that someone is using tor. It'd also be nice to have a "reconnect to bridge" button because the only way to make tor + bridge work on an unstable internet without tor traffic being exposed to the ISP is to restart the whole browser which is annoying.
If you don't want your ISP…
If you don't want your ISP to know that you're using Tor, then configure a bridge when you open Tor Browser for the first time after installing but before the browser window opens and makes connections. Do this by clicking Configure on the Tor Launcher window. If you skipped that and connected to a guard node, you already made it known that you're using Tor. Once the browser is open, then you can request a new, different bridge if you want to in Preferences.
The tor daemon tries to reconnect to the Tor network using your Tor preferences whenever a torified program such as Tor Browser tries to re-establish a connection. You don't need a button. Watch the circuit diagram in your address bar on each tab.
It sounds like you are misunderstanding several things. Please review the Support website, Tor Browser manual, old General FAQ, and open the address
about:tor
and click the onion circle in the top left.Is it safe to use uBlock…
Is it safe to use uBlock Origin instead of NoScript?
NoScript XSS popups are just annoying
According to a Q&A on the…
According to a Q&A on the official Tor website, the answer is NO.
That's not recommended. You…
That's not recommended. You'd be in the minority of TBB users--your browser's fingerprint would stand out.
Tor Browser included in…
Tor Browser included in Tails uses uBlock Origin.
Yes, but for your…
Yes, but for your fingerprint to blend in with other users', it's better to use Tails than to install uBlock yourself.
> NoScript XSS popups are…
> NoScript XSS popups are just annoying
Those popups have an option to "Block all". I think (and hope) they reset when you start a new identity.
Why the Android version asks…
Why the Android version asks for new permissions?
By the way, comments here often don't work without JavaScript.
> comments here often don't…
> comments here often don't work without JavaScript.
https://ocewjwkdco.tudasnich.de/comment/289727#comment-289727
"Tor Browser 10.0.1 (based…
"Tor Browser 10.0.1 (based on Mozilla Firefox 78.3.0esr) (64-bit)" does not update to 10.0.2 . It answers with "Tor Browser is up to date". The initial installation was done with 'torbrowser-install-win64-9.0.9_en-US.exe'. Afterwards it was always updated to each latest release. But now it fails. Known issue?
Did not automatically or…
Did not automatically or manually update from within the app. I had to download and install.
Hi! Automatic updater does…
Hi!
Automatic updater does not seem to work on Linux (Debian and Whonix) as it usually does. I am stuck on Tor browser 10.0.1.
If I try to update manually (Burger Menu-> "Help" -> "About Tor Browser"), Tor Browser says: "Tor Browser is up to date".
This never occurred before.
Cheers.
This should be resolved now…
This should be resolved now. Please try again.
Yes it is. Thanks
Yes it is.
Thanks
On Oracle Linux 7 (64 bit)…
On Oracle Linux 7 (64 bit) it complains about not being able to install the latest version (even though it is indeed the latest version).
Hello, I have had this…
Hello, I have had this problem for about a month. I have tried various solutions but none were effective. Please, if you help me, I appreciate..
Nombre del evento de problema: APPCRASH
Nombre de la aplicación: firefox.exe
Versión de la aplicación: 78.3.0.7427
Marca de tiempo de la aplicación: 00000000
Nombre del módulo con errores: RPCRT4.dll
Versión del módulo con errores: 6.1.7600.16385
Marca de tiempo del módulo con errores: 4a5be035
Código de excepción: c0000005
Desplazamiento de excepción: 0000000000049518
Versión del sistema operativo: 6.1.7600.2.0.0.256.48
Id. de configuración regional: 11274
Información adicional 1: c44b
Información adicional 2: c44bb8e579ee3565939a4f25524d7059
Información adicional 3: c344
Información adicional 4: c344e560ffdc86336feb659194704a5f
Hello, I have had this…
Hello, I have had this problem for about a month. I have tried various solutions but none were effective. Please, if you help me, I appreciate..
Nombre del evento de problema: APPCRASH
Nombre de la aplicación: firefox.exe
Versión de la aplicación: 78.3.0.7427
Marca de tiempo de la aplicación: 00000000
Nombre del módulo con errores: RPCRT4.dll
Versión del módulo con errores: 6.1.7600.16385
Marca de tiempo del módulo con errores: 4a5be035
Código de excepción: c0000005
Desplazamiento de excepción: 0000000000049518
Versión del sistema operativo: 6.1.7600.2.0.0.256.48
Id. de configuración regional: 11274
Información adicional 1: c44b
Información adicional 2: c44bb8e579ee3565939a4f25524d7059
Información adicional 3: c344
Información adicional 4: c344e560ffdc86336feb659194704a5f
RPCRT4.dll is the Remote…
RPCRT4.dll is the Remote Procedure Call (RPC) API, used by Windows applications for network and Internet communication. source many of the errors from your log are also associated with dllhost.exe
Is windows updated? You can try removing/installing dotnet 4.0 or such, that might fix it.
how to turn off animations…
how to turn off animations/effects like it was with toolkit.cosmeticAnimations.enabled;false in previous version of firefox?
`ui.prefersReducedMotion` = …
`ui.prefersReducedMotion` = `1`. It's a hidden pref, so you need to create it. RFP covers this for web content, so you won't leak any entropy
Interesting, wouldn't it be…
Interesting, wouldn't it be a good idea to add an entropy warning to about:config settings that aren't covered? Also including something similar to TorZillaPrint (but more user friendly) into the browser rather than github that covers all these things, would seem like a good idea.
> wouldn't it be a good idea…
> wouldn't it be a good idea to add an entropy warning to about:config settings
Not practical: prefs come and go all the time. Long term the strategy would be to make RFP less susceptible to external factors - e.g. some RFP patches bypass/ignore prefs. Canvas spoofing, for example, doesn't expose the canvas to extensions.
That said, there's an "easier" way: lock extensions to only those bundled (I'd like to see this TBH, in release and unlocked for alpha), lock out about:config and ignore user.js + auto config on start. Hide everything in preferences needed to be hidden. But I don't think anyone wants to go down that road
That said, I think there are other more generic things that could be done: such as a warning for about:config that can't be disabled: not the "I accept the risk" warning that can be dismissed: I mean a bar across the top that says "Tor Browser says here be dragons - with a RESET button". And in the addons panel it could do the same re a warning. In preferences, some items could be tagged as "don't play with this".
I personally have never ever seen any message **in** Tor Browser that says not to mess with settings and not to install extensions - so NFI how new users are supposed to know. There's a at least a couple of open tickets dealing with these
I was thinking something…
I was thinking something like, a status page, perhaps included in about:tor that gives a basic status to show how unique your browser is, by loading something similar to TorZillaPrint, and give the user an easy way to fix the problems, disable add-ons, reset specific settings, etc.
It would seem to make sense to rather make the browser 'safe' by design rather than having expectations of users. I don't think it's a good idea to restrict the user, for example, I have to use many tweaks that likely make my browser more unique due to disabilities.
Just an example of some random ideas (have many). Load the web content, and only then, allow modifications to the content whilst disabling javascript, XHR connections, etc. These things cause breakage, but at least they would enable safer browsing.
Always a good idea to have more warnings. Though the adage of teaching 'why' and 'how' not just saying 'no', is a good one.
Thank you for the detailed reply.
about:config > image…
about:config > image.animation_mode > set to: none > save > close tab
> about:config > image…
> about:config > image.animation_mode > set to: none > save > close tab
I think that can be fingerprinted (as it affects web content) if I understand this correctly: https://www.npmjs.com/package/animated-gif-detector . See my earlier reply if you want to disable chrome/UI animations as per the old toolkit pref
Hi sysrqb, No Tor-project…
Hi sysrqb,
No Tor-project Blog announcement page for Tails 4.12 : https://ocewjwkdco.tudasnich.de/new-release-tails-412
They have their own web site…
They have their own web site:
https://tails.boum.org/news/version_4.12/index.en.html
Hi! What's the latest tor…
Hi! What's the latest tor browser User Agent string now? Has it changes since 9.x days?
Yes: User-Agent: Mozilla/5.0…
Yes:
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
https://wtfismyip.com/headers
Why does a blog page here…
Why does a blog page here never stops auto reloading after posting a comment? Opening a new tab with the page doesn't help either. Also, comment form is not shown while the page is in this auto reload zombie mode. This behaviour has been going on for over 2-3 months now. JavaScript is disabled on my side.
That shouldn't be happening…
That shouldn't be happening. Are you in safest mode? Any add-ons enabled?
about:config
accessibility.blockautorefresh;true
javascript.enabled;false
Does it fix with any of these options?
> JavaScript is disabled on…
> JavaScript is disabled on my side.
That's the problem. https://ocewjwkdco.tudasnich.de/comment/289727#comment-289727
Thanks for the link!
Thanks for the link!
Could you add an option to…
Could you add an option to block all background connections into Tor Browser? Thank you.
Is the privacy friendly…
Is the privacy friendly elemination of Firefox forced sending to
firefox.settings.services.mozilla.com
in Torbrowser applicable for everyone in vanilla Firefox?
Would be very nice.
When you finally fix that…
When you finally fix that bug with button that switches security levels??? It still doesn't work so we always forced to go in about:config to switch these levels.
Can you please be more…
Can you please be more specific about the bug you're experiencing?
I think he means the fact…
I think he means the fact that you can't change security levels anymore without going to about:preferences
If you're going to keep…
If you're going to keep using geoip at least update it. it's been how many months since maxmind changed their system just to opt-out california ip? in the meantime many of tor network nodes have changed jurisdiction.
you have other options for sourcing geoip files.. some of which require less processing than maxmind mmdb
fix it this isn't hard
Unfortunately it is, indeed,…
Unfortunately it is, indeed, harder than it seems. You can follow along on https://gitlab.torproject.org/tpo/metrics/trac/-/issues/32978
Have been waiting for the…
Have been waiting for the latest version...Really happy
I am unable to locate the…
I am unable to locate the torrc file at all with this version. Although Tor seems to be listening on 9150, I would want to change that to a static port of choice, for instance. All that I am seeing in my (Catalina - 10.15.7 & Tor 10.0.2) `Applications/Tor Browser.app/Contents/Resources/TorBrowser/Tor` are the below files:
the torrc-defaults is nothing like what is mentioned here
I would also want to be able to say set the control port password, which I used to be able to do earlier with the torrc.
Where do I find the torrc file ??
Also, if it helps the only 2 locations I find any file by the name torrc on my system are these:
https://support.torproject…
https://ijpaagiacu.tudasnich.de/tbb/tbb-editing-torrc/
Your 1. or 2. are likely deep within a symbolic link to the other, represented by an
l
as the first letter of the permission lines output byls -l
and an arrow near the end of the line showing where the link points. Notice they are identical after/System/Volumes/Data/
. Tor Browser.app is the installer that you downloaded whereas ~/Library contains the directory where you installed it. Look in ~/Library as the support answer explains.That's what the support link…
That's what the support link suggests.
This ~/Library/Application Support/TorBrowser-Data/Tor however does not have the torrc!
TBB 10.0.0.2 on 32-bit…
TBB 10.0.0.2 on 32-bit Windows 7 works perfectly. Thanks!
Eure Version ab 10. wird von…
Eure Version ab 10. wird von AVAST als Virus eigeordnet und damit ist TOR-Browser unbenutzbar.
Ist gerade nur einmal möglich, da 9er Version zurückgespielt, aber blödes TOR(Firfox)update zwangsweise gleich TOR unbrauchbar macht!
Hilfe nirgends sichtbar, geschweige durch neue TOR-Version behoben. Danke AVAST, die auch mail.de blocken! Datenverrat ab Legislativen für und von Unternehmen in Deutschland leider LEGITIMIERT!
https://support.torproject…
https://ijpaagiacu.tudasnich.de/de/tbb/tbb-10/
https://ijpaagiacu.tudasnich.de/de/tbb/antivirus-false-positive/
Have you updated the virus definition files of your antivirus scanner? Some scanners are not able to recognize new software until a few days after the software is released and you update your scanner. You commented on October 22, and Tor Browser 10.0.2 was released on October 20.
With version 10.0.2 I am…
With version 10.0.2 I am having lots of crashes (2/3 per day) by just opening links in new tabs (wheel button).
This didn't happen in 10.0.1 and before. It was a few years I didn't see crashes on Tor.
From the comments looks like it happens only to me / my configuration (win10 updated).
I also noticed that https kicks in randomly on .onion sites: shouldn't make sense, isn't it?
We haven't received other…
We haven't received other reports of crashing with this version. Do you see any consistency in when it happens? Does it crash on specific sites? You can reproduce the crash if you visit the site again?
Nope about the crash. Some…
Nope about the crash. Some sessions are affected and some don't. I used to set win to sleep when not in use, now I shutdown and restart and up to now had no more crashes.
Still crashes each time I…
Still crashes each time I use Tor. Only happens on click on link with middle mouse button to open a new tab. But totally random, couldn't find a pattern. Really annoying.
Hallo Torproject, is…
Hallo Torproject,
is Torbrowser needing "network.proxy.enable_wpad_over_dhcp:true" or is this a problem of privacy?
The javascript note is very…
The javascript note is very confusing.
>Now Javascript on the Safest security level is governed by NoScript again. It was set as false when on Safest in 9.5a9. The javascript.enabled preference was reset to true for everyone using Safest beginning in Tor Browser 10.0 and you must re-set it as false if that is your preference.
>and you must re-set it as false if that is your preference.
>if that is your preference.
This is worded strangely.
1. Am I not "really" preferring javascript to be disabled in Security Level: Safest?
2a. Wouldn't ticking javascript.enabled to 'false' be a potential vector for deanonymization?
2b. Or are you saying that this about:config option has been made irrelevant due to the privileging of NoScript settings completely over those of the browser?
This is saying that NoScript…
This is saying that NoScript controlling whether javascript is executed should be as safe as disabling javascript via the |javascript.enabled| pref in about:config. We know there are Tor Browser users who use the Safest level but they selectively enable javascript on some sites. This is not a behavior Tor Browser should prevent. However, if you never want javascript enabled on any site or you don't trust NoScript, then you may change |javascript.enabled| in about:config.
This announcement in the blog post was needed because when we originally forced disabling javascript via the preference on the Safest level, we did not save if Tor Browser had |javascript.enabled| as |false| already. Therefore, now when moving users back to disabling javascript via NoScript, all users must be moved because Tor Browser doesn't remember if you previously manually set the preference.
It always starts with http,…
It always starts with http, 9.54 has no problem with starting with https. Why is it apparently impossible to start with https in Tor10.x.x?
Can you please be specific…
Can you please be specific about *what* starts with http? Are you loading a web page?
Any webpage i enter in the…
Any webpage i enter in the adressline, like example.com, it says http in ver. 10.0x. In ver 9.54 it always says https.
What happens if i use?: dom…
What happens if i use?:
dom.security.https_only_mode = true
dom.security.https_only_mode_ever_enabled = true
dom.security.https_only_mode.upgrade_local = true
dom.security.https_only_mode.upgrade_onion = true
If i do and open qrmfuxwgyzk5jdjz.onion, i.e., it says:Secure Connection Unavailable - You’re browsing in HTTPS-Only Mode and i have to "accept the risk", because qrmfuxwgyzk5jdjz.onion is http-only. But it doesn´t do the same for http-only-non-onion sites.
Cannot comment here with 10…
Cannot comment here with 10.0.2, it goes into an endless loop, but 9.54 has no problem. To the best of my knowledge, all my settings are the same in both versions.
Are you using the Safest…
Are you using the Safest security level?
Yes, but in both versions,…
Yes, but in both versions, and i have fiddled with that and it makes no difference. Still might be a problem with some obscure setting though.
Change "Firefox" to "Tor…
Change text "Firefox" to "Tor Browser" in "Unable to connect" error message
"Unable to connect"
"Firefox can't establish a connection to the server at"
"www.[domain].com"
Blue Mozilla small dinosaur holding two plugs.
"Try Again" blue button
[Three bullets] The third one correctly says: "If your computer or network is protected by a firewall or proxy, make sure that Tor Browser is permitted to access the Web."
I have noticed that…
I have noticed that sometimes on Onion services (v3) the back-up guard node takes over from the guard. I have not seen this happen on non-onion services.
Have you any thoughts on why this is happening?
Thank you.
Yes, you may find this…
Yes, you may find this interesting:
https://gitlab.torproject.org/tpo/core/tor/-/issues/25754