The Tor Browser Bundle is based on an Extended Support Release (ESR) version of the Mozilla Firefox project, in the new Tor version 4.0 the Firefox version has been updated from 24 ESR to 31 ESR version which include several security fixes, including seven critical vulnerabilities.
The fix is also necessary to mitigate the recently disclosed POODLE attack on SSL which allows bad actors to decrypt traffic over secure channels, the experts at Tor project have disabled SSLv3 in the Tor Browser 4.0 release as explained in the official post:
The measure is necessary for an anonymizing tool like Tor to avoid that an attacker can spy on user’s internet activity, even if carried out over SSL which is still supported by the majority of Internet users.
“This vulnerability allows the plaintext of secure connections to be calculated by a network attacker,” said the researcher Bodo Möller at Google. “If a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serve side interoperability bugs.”
Another important update is related to the mechanisms implemented to circumvent censorship, as explained in the release not the new version features the addition of three versions of the meek pluggable transport. A meek is a pluggable transport that uses HTTP for carrying bytes and TLS for obfuscation, technically the traffic is routed through a third-party server to circumvent censorship.
“More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek’s performance to match other transports, though. so adjust your expectations accordingly.” states the release note.
The new Tor Browser 4.0 also includes an in-browser updater and as announced by the developers of the project very soon the bundle will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379).
“This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work,” reads the blog post. “Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help (“?”) “about browser” menu option.”
don’t wast time Download Tor Browser 4.0.
Tor Browser 4.0 isn’t the unique privacy tool updated during this period, a new version of live anonymizing distribution TAILS (VERSION 1.2) has been released. Tails, also known as “Amnesiac Incognito Live System”, is a free Debian-based Linux distribution, specially tuned and optimized to preserve users’ anonymity and privacy.
Also in this case it is crucial to upgrade your privacy tool.
(Security Affairs – Tor Browser 4.0, TAILS 1.2)