Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Tor Browser Gets Multiple Security Enhancements

Recently released version 6.0 of the Tor (The Onion Router) browser brings along multiple privacy and security improvements, along with other fixes.

Recently released version 6.0 of the Tor (The Onion Router) browser brings along multiple privacy and security improvements, along with other fixes.

Released on Monday, the new browser iteration is based on Firefox ESR 45, meaning that users benefit from the security enhancements packed inside that release. Moreover, Tor 6.0 uses HTTPS-Everywhere 5.1.9 and was meant to ensure smooth operation on all platforms, including OS X, where newly introduced code-signing should eliminate OS X Gatekeeper interferences when using Tor.

One of the most important changes in the new release, however, is the disabled support for SHA1 certificates. Proven weak a long time ago, the two decades-old cryptographic standard is already being killed in Firefox, Chrome, and Internet Explorer/Edge, although companies such as Facebook and CloudFlare want the algorithm alive on older browsers.

Tor 6.0 now uses OpenSSL 1.0.1t, the latest version of the toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Released in early May, OpenSSL 1.0.1t addressed various security issues, the most important of which was a high severity flaw (CVE-2016-2107) introduced in 2013 that allowed a man-in-the-middle (MitM) attacker to decrypt traffic, and which still hasn’t been patched on many of the world’s most visited websites.

Better HTML5 support was also included in the latest Tor version, in line with the industry-wide move toward a Flash-free online experience, making the browser more secure and improving user privacy. Furthermore, the updated browser resolves a DLL hijacking vulnerability and reinstates the update.xml hash check that was disabled in Firefox 43, while also patching other bugs for all supported platforms.

The release changelog reveals that the update removes DNS lookup in lockfile code, disables libmdns support for desktop and mobile, disables MediaDevices.enumerateDevices and performance-based WebGL fingerprinting, as well as Selfsupport and Unified Telemetry, and HTTP Alternative-Services, among other options.

Tor Browser 6.0 is only one of the steps that Tor is taking toward improved privacy and security, though these changes are meant to impact the Onion services and not the browser. Last week, Tor announced work on a system for distributed random number generation on the Tor network, which is already in the testing, and which should deliver far better security than the current system.

Advertisement. Scroll to continue reading.

This announcement came hot on the heels of University of Texas at Austin revealing that it made a breakthrough in random number generation that should improve encryption. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.