New Release: Tor Browser 10.5a2

by sysrqb | October 21, 2020

Tor Browser 10.5a2 for Desktop platforms is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

Tor Browser 10.5a2 ships with Firefox 78.4.0esr, updates NoScript to 11.1.3, and OpenSSL to 1.1.1h. This release includes important security updates to Firefox.

Note: Tor Browser 10.5 does not support CentOS 6.

Note: We encountered updater issues for all alpha users that have been auto-updating the alpha series for months. We changed the accepted MAR channel ID to torbrowser-torproject-alpha as we are on an alpha channel. The assumption was that enough time passed since we changed it last time to torbrowser-torproject-release,torbrowser-torproject-alpha but it turns out that change did not get applied. Workaround: change the torbrowser-torproject-release in your update-settings.ini (in the Browser's code directory, which depends on you operating system) file to torbrowser-torproject-alpha and the update should get applied successfully. Alternatively, downloading a fresh alpha copy of Tor Browser works as well. Sorry for the inconvenience.

Note: Now Javascript on the Safest security level is governed by NoScript again. It was set as false when on Safest in 9.5a9. The javascript.enabled preference was reset to true beginning in Tor Browser 10.5a1 for everyone using Safest and you must re-set it as false if that is your preference.

The full changelog since Tor Browser 10.5a1 is:

  • Windows + OS X + Linux
    • Update Firefox to 78.4.0esr
    • Update NoScript to 11.1.3
    • Update OpenSSL to 1.1.1h
    • Update Tor Launcher to 0.2.26
      • Translations update
    • Bug 31767: Avoid using intl.locale.requested preference directly
    • Bug 33954: Consider different approach for Bug 2176
    • Bug 40011: Rename tor-browser-brand.ftl to brand.ftl
    • Bug 40012: Fix about:tor not loading some images in 82
    • Bug 40013: End of year 2020 Fundraising campaign
    • Bug 40016: Fix onion pattern for LTR locales
    • Bug 40139: Update Onboarding icon for 10.0
    • Bug 40148: Disable Picture-in-Picture until we investigate and possibly fix it
    • Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots
    • Bug 40192: Backport Mozilla Bug 1658881
    • Translations update
  • Windows
    • Bug 40140: Videos stop working with Tor Browser 10.0 on Windows
  • Build System
    • Windows + OS X + Linux
      • Update Go to 1.14.10
      • Bug 40104: Use our TMPDIR when creating our .mar files
    • Linux
      • Bug 40118: Add missing libdrm dev package to firefox container
    • Windows

Comments

Please note that the comment area below has been archived.

October 22, 2020

Permalink

i often invoke tor b4 doing work on computer but there does not appear 2b any diff. in how the comp. works....so am i connected or not? is there a special 'google' type of search pgm that i can/should use with tor? the search bar always shows that i'm using duck duck go. is that normal? i always use firefox, then tor, then an ips (ipa?). is that procedure ok?

If you use Tor Browser and have not torified other applications, then only Tor Browser connects to the Tor network through the tor daemon. If you use the expert bundle, which is the tor daemon without the browser, and have not reconfigured it, then only the tor daemon connects to the Tor network.

It sounds like you are misunderstanding several things. Please review the Support website, Tor Browser manual, old General FAQ, and open the address about:tor and click the onion circle in the top left.

Google is not a search program that runs on your local device. It is a website and search engine that you access online through a web browser. You can check if a particular web browser is connected to the Tor network by visiting: https://check.torproject.org/

November 02, 2020

Permalink

> Bug 40148: Disable Picture-in-Picture until we investigate and possibly fix it

To Georg's comment, the question is not whether Picture-in-Picture works. It does work as it does in Firefox. The question is how, if at all, to make it safe and non-fingerprintable. For instance, letterboxing is not applied to its window. Also, its window opens to a size that fits the resolution of the video, but many video players load in Auto resolution mode which dynamically adjusts the resolution based on present network speed. Those are just two issues from just casually using the UI.

Picture-in-picture is NOT enabled by media.videocontrols.picture-in-picture.video-toggle.enabled. Only the "video-toggle" is, which means only **whether the blue button is hidden** in its browser tab and right-click menu when the video is not in the picture-in-picture floating window. video-toggle.enabled does not control enabling the feature; only whether its button is displayed. Picture-in-picture is enabled by the preference, media.videocontrols.picture-in-picture.enabled.

To see them all, just open about:config, and type "videocontrols". While you're there, media.videocontrols.lock-video-orientation is not related to picture-in-picture but also sounds fingerprintable.

Descriptions of an older set of PiP preferences are under the "overview" heading here: https://www.ghacks.net/2019/10/29/a-look-at-firefoxs-upcoming-picture-i…