New Release: Tor Browser 11.0a1 (Android Only)
Tor Browser 11.0a1 is now available from the Tor Browser download page and also from our distribution directory.
Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
This version updates Fenix to 90.0.0-beta.6.
Warning:
Tor Browser Alpha does not support version 2 onion services. Tor Browser (Stable) will stop supporting version 2 onion services later this year. Please see the deprecation F.A.Q. entry regarding Tor version 0.4.6. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.
The full changelog since Tor Browser 10.5a17:
Comments
Please note that the comment area below has been archived.
Good job. Anonymity and…
Good job. Anonymity and privacy is very necessary these days.
When is the next stable…
When is the next stable release?
Current stable version is…
Current stable version is leaking Accept-Language according to browserleaks.com/IP
System language is EN-US, shows as EN-US and if I change language in Tor it still says EN-US along with whatever language I've selected. Isn't this a fingerprint and identity risk?
Do you have enabled the…
Do you have enabled the setting "Request English versions of web pages for enhanced privacy"? This setting is on the Languages menu at the top.
Why do I keep getting…
Why do I keep getting unresponsive script warnings? The app only works properly on its first use, after that its always warnings about httpseverywhere. I have to erase all data and start over every time I want to browse without being spied on. Could anyone give advice what to do?
Can you confirm you see this…
Can you confirm you see this issue: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/323…?
Yes it is the same as what…
Yes it is the same as what user "LokiAstaroth" shows a photo of except it's for the HTTPS Everywhere add-on instead of whatever Pako is. It's been a known issue for over a year? I expected I was the odd one out likely due to idiocy but clearly not. Please get around to fixing it. It doesn't render the app unusable but it is a needless extra step and I worry many will click OK and continue browsing perhaps with insufficient protection due to broken scripts.
Can you please provide the…
Can you please provide the exact file name when you see it again?
Just managed to trigger it…
Just managed to trigger it. I can't copy/paste what it says as the app won't let me. This is what it says.
Warning: Unresponsive script
A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.
Script: moz-extention://87ab41ed-6d15-...m/https_everywhere_lib_wasm.js317
Thank you. "https_everywhere…
Thank you. "https_everywhere_lib_wasm.js:317" is the part I was hoping you could provide.
Very welcome. If possible…
Very welcome. If possible please try to work a fix or the next release, it must be affecting plenty of people, I know it's open and it can all be done at home but I'm clueless. Another minor point you might want whilst here is that changing theme doesn't work, if you click the option for dark design the app flashes for a second and remains purple. It's nothing anyone would care about but might be worth mentioning Incase it links up with other codes/scripts
Why can't we fully disable…
Why can't we fully disable cookies? Tor is set to only block third parties by default and you can't change it? Host cookies can be used to identify you and we should have cookies fully disabled at default
The site can only identify…
The site can only identify you when you re-visit the same domain (as the first-party) who originally set the cookie, however when Javascript is not disabled then blocking first-party cookies would not prevent re-identification in this way because a web site can use local storage for a similar purpose. If you are concerned about a web site re-identifying you, then you should use the New Identity button or restart the browser before revisiting the site.
So so long as JavaScript it…
So so long as JavaScript it fully disabled as it should be in "safest" mode then cookies pose zero threat? I'd appreciate confirmation as I've had cookies breach VPN previously.
Thanks.
No, when using Safest mode a…
No, when using Safest mode a cookie may be stored and a web site can potentially re-identify "you" if you reload the web page, or if you navigate away from that site and then return at a later time. A web site can not re-identify you using cookies after you restart the browser or use New Identity. Hopefully this is clearer.
Yes that is clearer…
Yes that is clearer. Provided that "You" contains no real information about the end user then it's fine. I do still believe we should be given the option of fully blocking if we want to. Does the desktop version also have this restriction? If not then behind Tor + 3rd party enabled = Tor on Android. Site and service hosts will be able to tell who is on mobile and who is on desktop. I also appreciate the speed of your responses, I must have caught you with no Cheeto dust on them fangers
On Windows/macOS/Linux …
On Windows/macOS/Linux (Stable/Release) and Android (Alpha), you can adjust the preference in about:config: `network.cookie.cookieBehavior` to 2. https://wiki.mozilla.org/Security/Cookies
Be aware this will allow web sites to distinguish you from Tor Browser users who do not change this setting.
It's about avoiding being…
It's about avoiding being identified to begin with, if you've been identified once then it's game over so re-identification just gives them what they already have. You need to explain in idiot friendly terms how to avoid identification from cookies. I can't tell if you mean we get identified straight away or we get identified by visiting a site that another previously visited site used to embed cookies, despite us not knowing when the third party cookie was attempted to be placed or which website it belongs to.
Yes, let me rephrase that…
Yes, let me rephrase that answer. Cookies (from a first-party) are used for recognizing returning visitors, not identifying/tracking individual users. There is a fine line between these two actions, but cookies only providing a mechanism linking together requests from the same user/browser.
the "cookie" setting…
the "cookie" setting actually controls "Site Data" and includes the ability for a site to use localStorage, sessionStorage, cookies, indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications). Note some of these do not apply to Tor Browser or PB mode
So in reality, the cookie setting can be abused by websites in many ways to facilitate tracking. But FPI isolates all those (maybe not service workers = not used in PB mode - I think there's a ticket for that) to first party. In fact, I don't even see the issue with 3rd party cookies here TBH
As sysrqb says, you need to use New Identity if you want to properly sanitize all methods that can be used to linkify. That is by design - but could do with some work to educate people (like myself, even I was confused)
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/402… is currently confidential, sysrqb feel free to unhide it
Just would like to inform…
Just would like to inform the team that bug 40110 has yet to be fixed and wondering if this more of a persistant feature than a temporary bug. Also would like to know if there's a workaround for it. Tq.
It is the side-effect of a…
It is the side-effect of a feature, but it is not a feature itself. Please see this comment for more information: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/405…
Both upload and download don…
Both upload and download don't work. I tap download, it prompts to confirm, I click yes, it downloads a 0kb file. Every single time
Can you provide an example…
Can you provide an example site where the download is failing? Is it for specific file formats?
When is new release? It's…
When is new release? It's been month from last stable built. Lots of people still worried from tracking telemetry and unfixed bugs. Please do not see Android as a lesser priority
Today
Today