New Release: Tor Browser 10.0.8
Tor Browser 10.0.8 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox for desktops to 78.6.1esr and Firefox for Android to 84.1.4. This version resolves instability on Apple macOS devices with the new M1 processor.
The full changelog since Desktop and Android Tor Browser 10.0.7 is:
Comments
Please note that the comment area below has been archived.
Good job, thank you
Good job, thank you
I had about five blue pop…
I had about five blue pop-ups from Noscript about potential DoS javascripts on the day before you released this version. I don't know if it was just the news sites I had open (mainstream sources) or the number of tabs (over 100). My security level was "safer". Each page had lots of ads of course, too. Usually, the only pop-ups I have are for allowing media.
Did the popup say "potential…
Did the popup say "potential DoS"? I can't remember ever seeing a message like that. Could it be the cross-site scripting alert?
Yes, it's because NoScript…
Yes, it's because NoScript shows this after timeout. More annoying on slower machines.
I remember "potential DoS",…
I remember "potential DoS", but I don't remember if all of them said "potential". They looked like the cross-site scripting alert. The log textarea on the pop-ups was much bigger, and they had the 4 XSS choices. Block, Always block, Allow, Always allow. I'm mostly confident they were from NoScript, but it's the first time I can remember noticing "DoS" in them.
I sometimes get this on…
I sometimes get this on websites with lots of ads, I wouldn't worry about it
you should probably mention…
you should probably mention this fixes a use-after-free bug in Firefox that was rated by them as critical (CVE-2020-16044)
I considered mentioning it…
I considered mentioning it. The affected code (WebRTC) is not used in Tor Browser, so there was a trade-off between mentioning it and explaining that Tor Browser was not affected, and, therefore, hoping that including it wouldn't confuse people more; or just leaving it out of the post.
+1
+1
Do you know of any plans for…
Do you know of any plans for WebRTC support in future? Could be useful for things like videoconferencing without revealing IP. I think IceCat already claims to fix the IP issue with WebRTC.
I really like Tor, I feel…
I really like Tor, I feel like internet privacy should be a human right.
It is, though those who…
It is, though those who signed in agreement often don't keep their oaths.
https://www.un.org/en/universal-declaration-human-rights/
Here are blog posts that…
Here are blog posts that have tags for privacy, EFF, human rights, or contain the word, "rights". The Community portal has resources for outreach and training.
Issue 40081 "Letterboxing…
Issue 40081 "Letterboxing since 32220 affected by layout.css.devPixelsPerPx" issue was introduced in 9.5a2 and has continued to persist in each new release.
Windows7 32-bit - TBB works…
Windows7 32-bit - TBB works fine! THNX!
What about the fix for Onion…
What about the fix for Onion V3 instability?
Do you mean bug 40237…
Do you mean bug 40237 explained in the blog post for tor 0.4.5.3-rc? In version names, "rc" means "release candidate". It's being tested before it becomes a standard release version. After a tor daemon version drops the "rc" and is released as a standard version, it will be bundled into a release of Tor Browser.
Why is Tor Browser being…
Why is Tor Browser being signed with expired keys?
I would also like to know…
I would also like to know why.
Refresh your copy of the key…
Refresh your copy of the key. Read the updated Support FAQ:
https://support.torproject.org/tbb/how-to-verify-signature/
Some keys on public keyservers were flooded with signing signatures in 2019. Until the ecosystem recovers or a patched GPG is standard in most places, some users are serving keys via methods they have more control of.
https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-cer…
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
Thanks, I can't believe I…
Thanks, I can't believe I missed that.
perfect! thanks alot for all…
perfect! thanks alot for all the hard work.
File uploading doesn't work…
File uploading doesn't work for me on Android. I've seen other people mention this, is this a known issue?
Yes. https://gitlab…
Yes. https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/402…
yes https://gitlab…
yes it is now https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/402…
I have been getting this…
I have been getting this message for a few weeks now when I choose New Identity:
Torbutton: Unexpected error during storage clearing: Error: Error deleting data with flags 526280: 256
I just click OK and everything is normal but it's annoying.
Just tried Duck to find "Ted…
Just tried Duck to find "Ted Cruz testimony house hearings" had some difficulty, then installed Tor and tried again. Several pics showed up of Cruz testifying....when I selected one, a message popped up "our systems have detected unusual traffic from your computer network. Please try your request again later. (Then, in blue, this comment) Why did this happen?" I hesitated but went ahead and clicked on the Why? and here is what popped up...
This page appears when GOOGLE automatically detects requests coming from your computer network which appear to be in violation of the TERMS OF SERVICE, The block will expire shortly after those requests stop. This traffic may have been sent by malicious software, a browser plug-in or a script that sends automated requests. If you share your network
connection, ask your Administrator for help - a different computer using the same IP address may be responsible. LEARN MORE , Sometimes you may see this page if you are using advanced terms that robots are known to use or sending requests very quickly.
My Question...it seems Google/YouTube just blocked me, even though I was using Tor??
Any suggestions?
Sorry, no suggestions, but…
Sorry, no suggestions, but they blocked your request because you were using Tor. Google sees abusive connections coming from Tor and blocks them, then they block non-abusive connections coming from the same Tor exit nodes.
I experience this a lot…
I experience this a lot using YouTube with the Tor Browser.
Google redirects you to that page sometimes when you're using tor. To get around it you can try the New Circuit for this Site button or the New Identity button (so you'll be using a different exit node). If you're trying a new circuit make sure you're on the site you were redirected from (e.g. you went to youtube.com and were redirected to the captcha at google.com, afaik it'll only work if you request a new circuit when you're on youtube.com). Sometimes you can't do that so you'll have to do the New Identity thing.
As a TBB Linux user, I haven…
As a TBB Linux user, I haven't been able to connect to Tor with obfs4 since 10.06. It stops at 25% retreiving network information and only meek works. Whonix doesn't connect at all. Connecting directly isn't an option :( These are the logs:
1/16/21, 00:11:59.514 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/16/21, 00:11:59.514 [NOTICE] Opening Socks listener on 127.0.0.1:9150
1/16/21, 00:11:59.514 [NOTICE] Opened Socks listener on 127.0.0.1:9150
1/16/21, 00:12:00.478 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
1/16/21, 00:12:00.479 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
1/16/21, 00:12:00.558 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
1/16/21, 00:12:00.597 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay
1/16/21, 00:12:00.665 [NOTICE] Bootstrapped 15% (handshake_done): Handshake with a relay done
1/16/21, 00:12:00.666 [NOTICE] Bootstrapped 20% (onehop_create): Establishing an encrypted directory connection
1/16/21, 00:12:00.701 [NOTICE] Bootstrapped 25% (requesting_status): Asking for networkstatus consensus
1/16/21, 00:12:04.637 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
1/16/21, 00:12:04.637 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/16/21, 00:12:04.637 [WARN] Pluggable Transport process terminated with status code 0
1/16/21, 00:12:05.487 [NOTICE] Delaying directory fetches: DisableNetwork is set.
Please help.
Did you configure a specific…
Did you configure a specific obfs4 bridge or are you using the default obfs4 bridges?
This happens for the default…
This happens for the default obfs4 bridge and for bridges I get from moat after doing a captcha. Whonix doesn't connect through obfs4 or meek at all.. I think something related might be going on because Whonix and TBB's progress bars just stop, but the Whonix one stops while bootstrapping and the TBB one stops while retreiving network status. I've tried so many times and am afraid of losing connectivity for the browser altogether :(
Colors still mostly don't…
Colors still mostly don't work. This text field I'm typing in has a green background, which is probably what I told it to do but white text, which I told it not to do. This has been broken awhile, as the last of the 7.x builds worked as expected but early 8.x builds needed to be fidgeted with repeated before honoring the browser.display.document_color_use setting. Soon after, it stopped honoring any setting but its own, so much of my TOR-browsing is done in the 7.x installer I could find.
Please continue looking into this.
Thank you!
Thank you!
one thing that I'm missing:…
one thing that I'm missing: the security-level-slider should be independently working for different opened windows
I get like five error popups…
I get like five error popups after installing and trying to run the browser on windows 10. Anyone think they can help me.
Can you provide the error…
Can you provide the error messages?
what directory does tor…
what directory does tor download internet files to in android os please?
Tor Browser is based on…
Tor Browser is based on Firefox, so search for help about Firefox Android:
https://support.mozilla.org/en-US/kb/where-find-and-manage-downloaded-f…
https://support.mozilla.org/en-US/questions/978679
Main Menu --> Library --> Downloads
Hi, I want to verify that…
Hi,
I want to verify that the download of Tor Project Browser was true. I ran Kleopatra to verify the sign keys on the installer before downloading, but shouldn't there be sha256 available in the code signing certificate or online so I can verify using cmd certutil -hashfile (also new to gpg4win)? I'm on windows btw.
Thanks,
A noob
That information is…
That information is published if you want it, but the PGP (using GPG4Win) is sufficient for verifying the authenticity and integrity of the installer. The sha256 has is available in the sha256sums-signed-build.txt file on the server. This file is signed like the installer, too. For example: https://dist.torproject.org/torbrowser/10.0.8/sha256sums-signed-build.t…
New User, read this…
New User, read this carefully:
https://support.torproject.org/tbb/how-to-verify-signature/
Check that the 40-digit fingerprint of your copy of Tor Project's signing key matches the fingerprint on that page. It might start "0x...." which simply means it's a hexadecimal number. Your GPG may display only the final 8 or 16 digits (keyID), but you can edit gpg.conf to make it display the fingerprint and long keyID on the command line, or you can check the fingerprint in GPA or Kleopatra.
Code signing certificates are a Microsoft thing. Their signature is bundled into the installer, and their X.509 CA key is already bundled into the Windows OS by Microsoft. The sha256 of a code signing certificate might be the hash of the key rather than the hash of the installer file, but
certutil -hashfile
does return hashes of the file. That system is like the hierarchy of authorities of TLS certificates for HTTPS websites and is completely different from PGP and the web of trust.The text file that sysrqb linked contains a list of sha256 hashes of files in that directory on the distribution (dist.*) server. That text file has a corresponding signature file (*.asc, meaning an ASCII human-readable file as opposed to a *.sig which is more likely in binary format) in the same directory on the server. That signature file verifies the text file. If you verify that way, then first PGP-verify the text file that contains the hashes, and then check that the sha256 hash of your installer file matches the hash written in the text file. Doing it that way is more complicated than directly PGP-verifying the installer as instructed on the support page, but that way is faster for automatic updater tools.
In Tor browser for Android,…
In Tor browser for Android, there are some unnecessary options in settings.
And also some search engines which don't respect privacy.
I can't add or import any…
I can't add or import any bookmarks.
Tor shows this message: "The bookmarks and history system will not be functional because one of Firefox's files is in use by another application. Some security software can cause this problem."
The fixes for Firefox cannot be used because the files that should be removed don't exist (favicons.sqlite, places.sqlite...).
I don't know if this is a…
I don't know if this is a Tor issue or an NoScript issue. With Firefox on Android NoScript works fine. I exported my settings for NoScript, and when I import them into Tor on Android the settings never take affect. No matter how many times I retry the import. It's rather annoying. Does anyone else have this problem?
Since a up from version 9.5…
Since I doing an update from version 9.5.4 for Android arm devices to 10.0.6 arm, the browser app crashes instantly if I try to start it, also my phone pop up a error message everytime I try to start tor and I can see the start interface of tor as long the pop up is open but I can't do anything because when I close the error message it closes tor to, hope you can fix it soon.
What does the pop up message…
What does the pop up message say?
I downloaded the 10.8,…
I downloaded the 10.8, checked the signatures and verified the tar.xz file. Wanted to make a fresh installation.
But something weird is going on for 2 days. While I'm browsing, a web page is opening with the message below.
This happened twice until now.
"Restart Required !" with a red exclamation on browsers title bar.
***
Sorry. We just need to do one small thing to keep going.
Tor Browser has just been updated in the background. Click Restart Tor Browser to complete the update.
We will restore all your pages, windows and tabs afterwards, so you can be on your way quickly.
***
What the heck happened to my browser ? This is not the right way to update. And I know that I'm using the latest version.