Digital ID

Tor Browser 6.0 is out with significant privacy and security improvements

The Tor Project released the Tor Browser 6.0, the last version of the popular Tor browser that brings along significant privacy and security improvements.

Early this week the Tor Project released the new version of the Tor Browser, the Tor Browser 6.0 which is based on Firefox ESR 45.

The new version of the popular browser comes with a series of important privacy and security enhancements. Tor 6.0 uses HTTPS-Everywhere 5.1.9 to preserve the privacy of its users on all platforms, including OS X.

HTTPS Everywhere is a Firefox, Chrome, and Opera extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation, it encrypts communications with many major websites.

One of the most significant enhancement in the Tor Browser 6.0 is the ending of support for SHA1 certificates. Hashing algorithms are used to ensure the integrity of the certificate in the signing processes, a flawed algorithm could allow an attacker to forge fraudulent certificates.

In the past collision attacks against the MD5 hash algorithm allowed threat actors to obtain fraudulent certificates, security experts want to avoid similar problems for SHA-1.

The SHA-1 hash algorithm is vulnerable to collision attacks that will be soon possible, in 2012 experts demonstrated how breaking SHA1 is becoming feasible. IT giants have already deprecated the popular hashing algorithm, Mozilla, Google, Facebook, and CloudFlare.

The Tor 6.0 uses the OpenSSL 1.0.1t library that was recently released to fix a number of vulnerabilities, including the high severity CVE-2016-2107.

The CVE-2016-2107 flaw affecting the open-source cryptographic library could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.

According to the experts, the flaw affects the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.

According to the official announcement published by the Tor Project, the new release of the popular browser fixes a DLL hijacking vulnerability.

The last release Tor Browser implements more efficient support of the HTML5 that is considered more secure and privacy-friendly of other web technologies.

It resumed the update.xml hash check that was disabled in Firefox 43 and removed DNS lookup in lockfile code, but I suggest to give a close look to the changelog reveals that the update removes DNS lookup in lockfile code, disables libmdns support for desktop and mobile, disables

The Tor project is very active in the defense of the users’ privacy and security, just a few days ago it announced its success in the development of a distributed random number generator to include in the Next-gen Tor.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Tor Browser 6.0, privacy)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

3 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

7 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

21 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.