New Release: Tor Browser 10.0.8

by sysrqb | January 13, 2021

Tor Browser 10.0.8 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox for desktops to 78.6.1esr and Firefox for Android to 84.1.4. This version resolves instability on Apple macOS devices with the new M1 processor.

The full changelog since Desktop and Android Tor Browser 10.0.7 is:

  • All Platforms
    • Update NoScript to 11.1.7
  • Windows + OS X + Linux
    • Update Firefox to 78.6.1esr
  • Android
    • Update Firefox to 84.1.4
  • OS X
    • Bug 40262: Browser tabs crashing on the new Macbooks with the M1 chip
  • Build System
    • Android
      • Bug 40195: repo.spring.io is not usable anymore

Comments

Please note that the comment area below has been archived.

January 13, 2021

Permalink

I had about five blue pop-ups from Noscript about potential DoS javascripts on the day before you released this version. I don't know if it was just the news sites I had open (mainstream sources) or the number of tabs (over 100). My security level was "safer". Each page had lots of ads of course, too. Usually, the only pop-ups I have are for allowing media.

January 15, 2021

In reply to sysrqb

Permalink

Yes, it's because NoScript shows this after timeout. More annoying on slower machines.

January 17, 2021

In reply to sysrqb

Permalink

I remember "potential DoS", but I don't remember if all of them said "potential". They looked like the cross-site scripting alert. The log textarea on the pop-ups was much bigger, and they had the 4 XSS choices. Block, Always block, Allow, Always allow. I'm mostly confident they were from NoScript, but it's the first time I can remember noticing "DoS" in them.

January 13, 2021

Permalink

you should probably mention this fixes a use-after-free bug in Firefox that was rated by them as critical (CVE-2020-16044)

I considered mentioning it. The affected code (WebRTC) is not used in Tor Browser, so there was a trade-off between mentioning it and explaining that Tor Browser was not affected, and, therefore, hoping that including it wouldn't confuse people more; or just leaving it out of the post.

January 15, 2021

In reply to sysrqb

Permalink

+1

January 16, 2021

In reply to sysrqb

Permalink

Do you know of any plans for WebRTC support in future? Could be useful for things like videoconferencing without revealing IP. I think IceCat already claims to fix the IP issue with WebRTC.

January 13, 2021

Permalink

Issue 40081 "Letterboxing since 32220 affected by layout.css.devPixelsPerPx" issue was introduced in 9.5a2 and has continued to persist in each new release.

Do you mean bug 40237 explained in the blog post for tor 0.4.5.3-rc? In version names, "rc" means "release candidate". It's being tested before it becomes a standard release version. After a tor daemon version drops the "rc" and is released as a standard version, it will be bundled into a release of Tor Browser.

Refresh your copy of the key. Read the updated Support FAQ:
https://support.torproject.org/tbb/how-to-verify-signature/

Some keys on public keyservers were flooded with signing signatures in 2019. Until the ecosystem recovers or a patched GPG is standard in most places, some users are serving keys via methods they have more control of.
https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-cer…
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html

January 14, 2021

Permalink

File uploading doesn't work for me on Android. I've seen other people mention this, is this a known issue?

January 15, 2021

Permalink

I have been getting this message for a few weeks now when I choose New Identity:
Torbutton: Unexpected error during storage clearing: Error: Error deleting data with flags 526280: 256
I just click OK and everything is normal but it's annoying.

January 15, 2021

Permalink

Just tried Duck to find "Ted Cruz testimony house hearings" had some difficulty, then installed Tor and tried again. Several pics showed up of Cruz testifying....when I selected one, a message popped up "our systems have detected unusual traffic from your computer network. Please try your request again later. (Then, in blue, this comment) Why did this happen?" I hesitated but went ahead and clicked on the Why? and here is what popped up...

This page appears when GOOGLE automatically detects requests coming from your computer network which appear to be in violation of the TERMS OF SERVICE, The block will expire shortly after those requests stop. This traffic may have been sent by malicious software, a browser plug-in or a script that sends automated requests. If you share your network
connection, ask your Administrator for help - a different computer using the same IP address may be responsible. LEARN MORE , Sometimes you may see this page if you are using advanced terms that robots are known to use or sending requests very quickly.

My Question...it seems Google/YouTube just blocked me, even though I was using Tor??
Any suggestions?

Sorry, no suggestions, but they blocked your request because you were using Tor. Google sees abusive connections coming from Tor and blocks them, then they block non-abusive connections coming from the same Tor exit nodes.

I experience this a lot using YouTube with the Tor Browser.

Google redirects you to that page sometimes when you're using tor. To get around it you can try the New Circuit for this Site button or the New Identity button (so you'll be using a different exit node). If you're trying a new circuit make sure you're on the site you were redirected from (e.g. you went to youtube.com and were redirected to the captcha at google.com, afaik it'll only work if you request a new circuit when you're on youtube.com). Sometimes you can't do that so you'll have to do the New Identity thing.

January 15, 2021

Permalink

As a TBB Linux user, I haven't been able to connect to Tor with obfs4 since 10.06. It stops at 25% retreiving network information and only meek works. Whonix doesn't connect at all. Connecting directly isn't an option :( These are the logs:
1/16/21, 00:11:59.514 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/16/21, 00:11:59.514 [NOTICE] Opening Socks listener on 127.0.0.1:9150
1/16/21, 00:11:59.514 [NOTICE] Opened Socks listener on 127.0.0.1:9150
1/16/21, 00:12:00.478 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
1/16/21, 00:12:00.479 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
1/16/21, 00:12:00.558 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
1/16/21, 00:12:00.597 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay
1/16/21, 00:12:00.665 [NOTICE] Bootstrapped 15% (handshake_done): Handshake with a relay done
1/16/21, 00:12:00.666 [NOTICE] Bootstrapped 20% (onehop_create): Establishing an encrypted directory connection
1/16/21, 00:12:00.701 [NOTICE] Bootstrapped 25% (requesting_status): Asking for networkstatus consensus
1/16/21, 00:12:04.637 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
1/16/21, 00:12:04.637 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/16/21, 00:12:04.637 [WARN] Pluggable Transport process terminated with status code 0
1/16/21, 00:12:05.487 [NOTICE] Delaying directory fetches: DisableNetwork is set.

Please help.

January 20, 2021

In reply to sysrqb

Permalink

This happens for the default obfs4 bridge and for bridges I get from moat after doing a captcha. Whonix doesn't connect through obfs4 or meek at all.. I think something related might be going on because Whonix and TBB's progress bars just stop, but the Whonix one stops while bootstrapping and the TBB one stops while retreiving network status. I've tried so many times and am afraid of losing connectivity for the browser altogether :(

January 15, 2021

Permalink

Colors still mostly don't work. This text field I'm typing in has a green background, which is probably what I told it to do but white text, which I told it not to do. This has been broken awhile, as the last of the 7.x builds worked as expected but early 8.x builds needed to be fidgeted with repeated before honoring the browser.display.document_color_use setting. Soon after, it stopped honoring any setting but its own, so much of my TOR-browsing is done in the 7.x installer I could find.

Please continue looking into this.

January 17, 2021

Permalink

one thing that I'm missing: the security-level-slider should be independently working for different opened windows

January 17, 2021

Permalink

I get like five error popups after installing and trying to run the browser on windows 10. Anyone think they can help me.

January 19, 2021

Permalink

Hi,

I want to verify that the download of Tor Project Browser was true. I ran Kleopatra to verify the sign keys on the installer before downloading, but shouldn't there be sha256 available in the code signing certificate or online so I can verify using cmd certutil -hashfile (also new to gpg4win)? I'm on windows btw.

Thanks,
A noob

That information is published if you want it, but the PGP (using GPG4Win) is sufficient for verifying the authenticity and integrity of the installer. The sha256 has is available in the sha256sums-signed-build.txt file on the server. This file is signed like the installer, too. For example: https://dist.torproject.org/torbrowser/10.0.8/sha256sums-signed-build.t…

New User, read this carefully:
https://support.torproject.org/tbb/how-to-verify-signature/

Check that the 40-digit fingerprint of your copy of Tor Project's signing key matches the fingerprint on that page. It might start "0x...." which simply means it's a hexadecimal number. Your GPG may display only the final 8 or 16 digits (keyID), but you can edit gpg.conf to make it display the fingerprint and long keyID on the command line, or you can check the fingerprint in GPA or Kleopatra.

Code signing certificates are a Microsoft thing. Their signature is bundled into the installer, and their X.509 CA key is already bundled into the Windows OS by Microsoft. The sha256 of a code signing certificate might be the hash of the key rather than the hash of the installer file, but certutil -hashfile does return hashes of the file. That system is like the hierarchy of authorities of TLS certificates for HTTPS websites and is completely different from PGP and the web of trust.

The text file that sysrqb linked contains a list of sha256 hashes of files in that directory on the distribution (dist.*) server. That text file has a corresponding signature file (*.asc, meaning an ASCII human-readable file as opposed to a *.sig which is more likely in binary format) in the same directory on the server. That signature file verifies the text file. If you verify that way, then first PGP-verify the text file that contains the hashes, and then check that the sha256 hash of your installer file matches the hash written in the text file. Doing it that way is more complicated than directly PGP-verifying the installer as instructed on the support page, but that way is faster for automatic updater tools.

January 20, 2021

Permalink

In Tor browser for Android, there are some unnecessary options in settings.

  • Theme - It is only for tab view background
  • Log in and password - It may be unsafe
  • Location - It will disclose real location if permission has given
  • Camera - Harmful for privacy for everyone who using tor browser
  • Microphone - Harmful for privacy for everyone who using tor browser

And also some search engines which don't respect privacy.

January 21, 2021

Permalink

I can't add or import any bookmarks.
Tor shows this message: "The bookmarks and history system will not be functional because one of Firefox's files is in use by another application. Some security software can cause this problem."
The fixes for Firefox cannot be used because the files that should be removed don't exist (favicons.sqlite, places.sqlite...).

January 22, 2021

Permalink

I don't know if this is a Tor issue or an NoScript issue. With Firefox on Android NoScript works fine. I exported my settings for NoScript, and when I import them into Tor on Android the settings never take affect. No matter how many times I retry the import. It's rather annoying. Does anyone else have this problem?

January 23, 2021

Permalink

Since I doing an update from version 9.5.4 for Android arm devices to 10.0.6 arm, the browser app crashes instantly if I try to start it, also my phone pop up a error message everytime I try to start tor and I can see the start interface of tor as long the pop up is open but I can't do anything because when I close the error message it closes tor to, hope you can fix it soon.

January 24, 2021

Permalink

I downloaded the 10.8, checked the signatures and verified the tar.xz file. Wanted to make a fresh installation.

But something weird is going on for 2 days. While I'm browsing, a web page is opening with the message below.
This happened twice until now.

"Restart Required !" with a red exclamation on browsers title bar.

***
Sorry. We just need to do one small thing to keep going.

Tor Browser has just been updated in the background. Click Restart Tor Browser to complete the update.

We will restore all your pages, windows and tabs afterwards, so you can be on your way quickly.
***

What the heck happened to my browser ? This is not the right way to update. And I know that I'm using the latest version.