Pierluigi Paganini June 02, 2016

The Tor Project released the Tor Browser 6.0, the last version of the popular Tor browser that brings along significant privacy and security improvements.

Early this week the Tor Project released the new version of the Tor Browser, the Tor Browser 6.0 which is based on Firefox ESR 45.

The new version of the popular browser comes with a series of important privacy and security enhancements. Tor 6.0 uses HTTPS-Everywhere 5.1.9 to preserve the privacy of its users on all platforms, including OS X.

HTTPS Everywhere is a Firefox, Chrome, and Opera extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation, it encrypts communications with many major websites.

One of the most significant enhancement in the Tor Browser 6.0 is the ending of support for SHA1 certificates. Hashing algorithms are used to ensure the integrity of the certificate in the signing processes, a flawed algorithm could allow an attacker to forge fraudulent certificates.

In the past collision attacks against the MD5 hash algorithm allowed threat actors to obtain fraudulent certificates, security experts want to avoid similar problems for SHA-1.

The SHA-1 hash algorithm is vulnerable to collision attacks that will be soon possible, in 2012 experts demonstrated how breaking SHA1 is becoming feasible. IT giants have already deprecated the popular hashing algorithm, Mozilla, Google, Facebook, and CloudFlare.

The Tor 6.0 uses the OpenSSL 1.0.1t library that was recently released to fix a number of vulnerabilities, including the high severity CVE-2016-2107.

The CVE-2016-2107 flaw affecting the open-source cryptographic library could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.

According to the experts, the flaw affects the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.

According to the official announcement published by the Tor Project, the new release of the popular browser fixes a DLL hijacking vulnerability.

The last release Tor Browser implements more efficient support of the HTML5 that is considered more secure and privacy-friendly of other web technologies.

It resumed the update.xml hash check that was disabled in Firefox 43 and removed DNS lookup in lockfile code, but I suggest to give a close look to the changelog reveals that the update removes DNS lookup in lockfile code, disables libmdns support for desktop and mobile, disables

The Tor project is very active in the defense of the users’ privacy and security, just a few days ago it announced its success in the development of a distributed random number generator to include in the Next-gen Tor.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Tor Browser 6.0, privacy)