Tor has announced the release of its latest version of the Tor Browser bundle – now known simply as Tor Browser 4.0. Using Tor is one of the most anonymous ways to access the internet (see our comparison of Tor vs. VPN, which includes a look at how the Tor network works), and the updated Tor Browser (itself a fork of Mozilla’s open source Firefox browser) brings the following major improvements over the last stable release (version 3.6.6):
SSL 3.0 disabled to prevent POODLE attack
The Padding Oracle On Downgraded Legacy Encryption (POODLE) attack is the latest in a string of serious security vulnerabilities which include the Heartbleed and Shellshock attacks. According to Mozilla POODLE is a man-in-the-middle (MitM) exploit that allows an attacker to,
‘Steal certain confidential information, such as cookies… By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website.
Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.’
While disabling SSL 3.0 (SSLv3) is in some ways a step backwards for security, it is currently the only to protect against a POODLE attack.
The Tor browser is based on Firefox ESR (Extended Support Release), a more stable and secure (but less consumer oriented) version of Firefox. The Tor bundle incorporates the improvements made in upgrading Firefox ESR 24 to version 31, introducing many security fixes (including fixing seven critical vulnerabilities).
New anti-censorship tools
One of the biggest problems with using Tor as an anti-censorship tool is that only a limited numbers of volunteers are willing to run public exit nodes (the last Tor node in the chain of servers that link users to the internet).
Because there are only limited number of these exit nodes, and because their IP addresses are generally publicly known, they can be easily blocked by authoritarian governments such as China and Iran.
Tor has been working for a while now to address this problem using technologies such as obfsproxy and pluggable transports, but Tor Browser 4.0 is the first version to incorporate these directly into the browser (rather than as downloadable plugins), offering users the choice to configure a bridge or proxy settings when the browser starts in as user-friendly a way as is currently possible.
Tor 4.0 can be downloaded from here.
We have looked at The Amnesiac Incognito Live System (TAILS) in some detail before. It is a Debian-based Linux LiveDVD distro that is highly security focused, and which routes all internet connections through the Tor network.
The newly released version 1.2 fixes numerous security issues, replaces the IceWeasel browser with Tor Browser 4.0 (and so includes all the improvements listed above), and adds a dedicated I2P browser.
Previous versions of Tails included TrueCrypt, but as this is no longer considered secure, Tails makes it clear that the program will be removed from version 1.3. It remains included in version 1.2, however, in order to allow users to open existing TrueCrypt containers and migrate data away from the program.
Users are advised to upgrade to Tails 1.2 as soon as possible, which can be downloaded or upgraded from here.