New Release: Tor Browser 10.0.12
Tor Browser 10.0.12 is now available from the Tor Browser download page and also from our distribution directory.
This version updates Desktop Firefox to 78.8.0esr and Android Firefox to 86.1.0. In addition, Tor Browser 10.0.12 updates NoScript to 11.2.2, Openssl to 1.1.1j, and Tor to 0.4.5.6. This version includes important security updates to Firefox for Desktop, and similar important security updates to Firefox for Android.
The full changelog since Desktop and Android Tor Browser 10.0.11 is:
- All Platforms
- Update NoScript to 11.2.2
- Update Openssl to 1.1.1j
- Update Tor to 0.4.5.6
- Windows + OS X + Linux
- Android
- Update Firefox to 86.1.0
- Bug 40138: Create survey banner on about:tor for Android
- Bug 40144: Hide Download Manager
- Bug 40171: Make WebRequest and GeckoWebExecutor First-Party aware
- Bug 40188: Build and ship snowflake only if it is enabled
- Bug 40309: Avoid using regional OS locales
- Bug 40344: Set privacy.window.name.update.enabled=false
- Build System
Comments
Please note that the comment area below has been archived.
> Update Openssl to 1.1.1j …
> Update Openssl to 1.1.1j
If a Linux distro's repository packages an older version, which one will Tor Browser use?
Tor Browser uses the…
Tor Browser uses the included version in this update.
What about favicons super…
What about favicons super cookies?
Do I reinstall TorBrowser always after using?
No, Tor Browser is not…
No, Tor Browser is not vulnerable to that attach after the browser is restarted.
cookie monster, a reply was…
cookie monster, a reply was given to you before:
https://blog.torproject.org/comment/291200#comment-291200
Also read:
https://blog.torproject.org/comment/290998#comment-290998
Switching DuckDuckGo from…
Switching DuckDuckGo from POST to GET unfortunately doesn't solve DDG recently not rendering on safest security level.
Okay, fixing that problem…
Okay, fixing that problem was not the goal, but this is good to know.
Hi, please fix this problem…
Hi, please fix this problem. I've created the issue.
It appears using https:/…
It appears using https://html.duckduckgo.com?q=%s instead of https://duckduckgo.com?q=%s works on safest. Go to html.duckduckgo.com, right click the text box, and choose add search engine.
Caution: Customizing your…
Caution: Customizing your search engines makes your activity stand out and more trackable. Alternatives to customizing are to type in https://html.duckduckgo.com/html/ or to lower your security level to Safer or Standard. If you add a search engine or customize NoScript or save bookmarks, it's recommended to revert or delete your changes after the problem is repaired in a later version of Tor Browser.
As temporary workaround,…
As temporary workaround, when using DDG .onion or normal, insert "html" without quotation marks between / and ? into the URL string in the address bar, or set DDG HTML as standard SE in Options.
Blank page if searching…
Blank page if searching DuckDuckGo in Safest SECURITY LEVEL. Trisquel 8 x86
https://lite.duckduckgo.com…
https://lite.duckduckgo.com/lite/ works
In Safest, DuckDuckGo works…
In Safest, DuckDuckGo works for me if I temporarily allow "script" for duckduckgo.com in NoScript. We should be asking DuckDuckGo to fix what it changed.
But if newbies read this, they should set Safer instead because customizing NoScript makes your browser fingerprint more identifiable. Do it only if you understand the implications and risks. NoScript's icon is hidden by default anyway. If you changed NoScript per-site permissions and no other options in NoScript, you can reset NoScript by changing Tor Browser's security level or by clicking the right-most big clock button in the top of NoScript's menu whose tooltip (hover pop-up text) says, "Revoke Temporary Permissions".
The fix is coming. https:/…
The fix is coming.
https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/40030
Wait for a moment. It will…
Wait for a moment. It will redirect to non-javascript site of DDG. If it don't do that it will say to click "here".
Or, you can just go to https://html.duckduckgo.com/html then search
Because in safest security settings Tor browser disable javascript.
If you want to use javascript version of any sites you should go with safer settings.
On about:tor, this doesn't…
On about:tor, this doesn't load on safest:
resource://torbutton-assets/tor-survey-icon.svg
resource://torbutton-assets…
resource://torbutton-assets/tor-survey-icon.svg
windows: works for me on all three slider settings
Linux 64-bit, Safest sets…
Linux 64-bit, Safest sets
svg.disabled;true
, and the image doesn't work.There is no slider.
There is no slider.
DuckDuckGo, DuckDuckGo onion…
DuckDuckGo, DuckDuckGo onion and Startpage searches no longer load when the safety slider is set on Safest. It loads when set on Safer.
This issue was intermittent with the previous version (10.0.10) but it appears not loading at all now.
Should you also update…
Should you also update Python 3.6.8 with security fixes?
https://docs.python.org/release/3.6.13/whatsnew/changelog.html#changelog
Survey page has expired. I…
Survey page has expired. I took too long writing everything, and the website lost all of it. I hope my many paragraphs you weren't able to receive helped you a ton!! I won't be writing it again.
Same experience, survey page…
Same experience, survey page expired.
1. Survey blog post is locked for comments. Clearly this blog admin doesn't want user feedback on a user survey (this is actually kinda newb)
2. Multiple open text fields and explicit instructions to write out sentences and paragraphs, but session timeout is a mere few minutes. One could probably squeeze it in typing 1,000 wpm or more.
3. Probably shouldn't make an anonymous survey in wix. Lol.
Thanks for your great work! …
Thanks for your great work!
"Bug 40287: Switch DDG search from POST to GET": since this is not really a bug, but a change in a user preference setting, I personally do prefer POST much more. Perhaps this setting can be offered on the "Preferences/Search" tab...
Until then, what TorBrowser search file(s) can I tweak to revert my DDG searches back to the POST method? At least for the search bar.
Appreciate any info or link.
Thanks.
tor-browser_en-US/Browser…
tor-browser_en-US/Browser/omni.ja/chrome/browser/search-extensions/ddg/manifest.json
https://duckduckgo.com/params
kg = g for GET; p for POST.
./tor-browser_en-US/Browser…
./tor-browser_en-US/Browser/browser/...
2 layers of "browser", not 1. Otherwise, you find the wrong
omni.ja
file.Why are there two? I am…
Why are there two? I am guessing because one is for Firefox and one is for Tor Browser? So the Tor Browser
omni.ja
takes precedence? Thank you for fixing that.> what TorBrowser search…
> what TorBrowser search file(s) can I tweak to revert my DDG searches back to the POST method?
It's complicated. First of all, you shouldn't. It is not recommended because the POST method will structure your packets differently from other Tor Browser users (who now do GET) and make your activity more trackable. Second, read this thread from the blog post announcing the release of the alpha version that contained the change.
Third, the files in the source code that were changed are listed in issue 40287 that you pasted. Issues in GitLab are called "Bug" in the blog post and changelog. A reply before mine noted the default file
.../ddg/manifest.json
inside an omni.ja archive. Json files can be opened in a text editor, never in a word processor. Don't edit files in the browser's folder while the browser is open. Close the browser, make a backup copy of the json file in case you break it, and make another copy you will edit and paste into theomni.ja
file, overwriting the originalmanifest.json
.Examples of what to write in your edit are in the other reply and in files on Mycroft Project. Those custom search engines would be installed to the file
./tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/search.json.mozlz4
Mozlz4 files can be edited in the Firefox add-on mozlz4-edit. It's not recommended to install add-ons in Tor Browser.Good job! Thank you!
Good job! Thank you!
Now when activating plugin…
Now when activating plugin NoScript 11.2.2 and 11.2.3 the duckduckgo.com search engine does not work.
This update: 10.0.12 is…
This update: 10.0.12 is causing very high CPU usage on the Mac, compared to the previous version. Please fix this.
Good browser!
Good browser!
It's good that you provide…
It's good that you provide important updates almost instantly!
DDG search becomes…
DDG search becomes problematic for me . Someone asked for this change, to be able to return to the page that contains search results. By pressing [back] button. It's fine. But I don't want my search keywords to be visible in url . Isn't post always safer when it comes to handling form data ? Am I missing anything ?
> Isn't post always safer…
> Isn't post always safer when it comes to handling form data?
No. The GET method does not significantly increase privacy. Read here:
https://blog.torproject.org/comment/290937#comment-290937
The significance of visibility of keywords in URLs is higher in your web browser than when the message data is in transit or on the server. Furthermore, most people don't save bookmarks, so the URLs in their browser session would be displayed on screen at the same time as the page contents would be. In that case, the page contents and the hostname are significantly more sensitive than keywords appended at the end of the URL, but neither the page contents nor the hostname are hidden by the POST or GET methods. People who do save bookmarks are assumed to understand the risks of saving their browsing history to disk and how to edit the bookmarks to remove keywords.
Correction: No. The *POST*…
Correction:
No. The *POST* method does not significantly increase privacy from the GET method.
Tor Project, ask your…
Tor Project, ask your outreach team to consider putting out a call on social media for translators for Myanmar (Burmese language). They are protesting a military coup and could use Tor. In the message, translate the keywords into Burmese that Burmese speakers are most likely to stumble upon. Link to here: https://community.torproject.org/localization/ Include the most common hashtag, #WhatsHappeningInMyanmar
Updated, thanks
Updated, thanks
Survey filled!
Survey filled!
https://xenproject.org…
https://xenproject.org/developers/teams/windows-pv-drivers/
slideshow doesn't work.
Tor Browser does not work on…
Tor Browser does not work on OpenBSD.
However OpenBSD's official ports have tor and torsocks. If I install them, I will be able to tunnel internet traffic through Tor, is that right?
OpenBSD's port has Firefox. But I need to export Tor Browser's tweaks to Firefox before I can use the latter. How do I extract Tor Browser's multiple privacy settings?
The versions of tor,…
Neither Tor Project nor Mozilla builds for *BSD. The versions of tor and tor-browser in OpenBSD's official repositories are old, insecure and not recommended. For example, in OpenBSD 6.8 the version of tor is 0.4.3.6, but the most recent as of the date of your comment were 0.4.5.6 or 0.4.4.7. Tor Browser's preferences are not the only changes from Firefox. There are changes to the source code as well. You would be better off trying to use the versions in FreeBSD's repositories, or installing a virtual machine to run Linux, or trying to compile the source code of Tor Browser for OpenBSD.
A presentation on this…
A presentation on this webpage is not functional in TBB: https://xenproject.org/users/security/
Are you referring to the…
Are you referring to the embedded Youtube videos?
It's now finally possible to…
https://mastodon.social/@torproject/105821525048636734
https://twitter.com/torproject/status/1366811402552438786
Write information about DV certs for v3 onion services in the Community pages or in Tor Project's valuable but now non-editable wiki or before writing it on social media. You're setting it up to be forgotten.
Now there is a blog post:…
Now there is a blog post: https://blog.torproject.org/tls-certificate-for-onion-site
I installed this Tor Browser…
I installed this Tor Browser version 10.0.12. Is it the correct default Tor Browser result if the pages like https://browserleaks.com inform that the screen resolution is 999×1000?
No. That is a bug. The…
No. That is a bug. The letterboxing feature is supposed to make pages be a multiple of 200x100. The developers know about the bug: tpo/applications/tor-browser#40081