Unless you are on NSA watch list, Tor will always give you the best anonymity browsing experience, probably explaining why the browser is popular among hackers. With the new release, Tor Browser 4.0 and Tail 1.2, your back is totally covered.
Tor (The onion Router) conceals your identity by encrypting and distributing your communicating across several Tor servers. Anyone trying to trace back, will see traffic from random nodes rather than from your computer. The Tor browser on its part ensure all internet connection are sent via the Tor network. It is based on Extended Support Release (ESR) version of Mozilla Firefox project, which has been updated from 24 ESR to 31ESR in the new Tor browser 4.0.
The new Tor update, available at the Tor Browser Project page, comes with several security fixes including a fix on vulnerabilities such as the Poodle bug. According to official post SSL 3.0 have been disable thus preventing the “protocol downgrade date” that allowed a hacker to exploit weakness in SSL 3.0 protocol. “This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.”
The Poodle vulnerability “allows the plaintext of secure connections to be calculated by a network attacker,” says the researcher Bodo Möller at Google. “If a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serve side interoperability bugs.”
Countries using Deep packet inspection (DPI) to recognize and filter Tor traffic flows will get it rough with the new Tor update, which has addition versions of meek pluggable transport. Technically, pluggable transport transforms Tor traffic between the client and the relay bridge, giving it an “innocent-looking” face that is not disguisable even by DPI.
“More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek’s performance to match other transports, so adjust your expectations accordingly.” states the release note.
The Tor browser 4.0 release also feature an easy to use in-browser which will soon “support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379).” However, users interested in stronger security, are advised not use the in-browser for the time being.
“This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work,” reads the blog post. “Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help (“?”) “about browser” menu option,” stated the release note.
Unfortunately, MAC OS user will have to wait for a while before experiencing the new release Tor browser 4.0. “We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system,” reads the blog post.
Earlier this week Tor project released new Tail 1.2 featuring numerous security updates as well. Basically a Tail also known as an “Amnesiac Incognito Live System” is live operating system that can be started on any computer from a portable storage device such as a USB stick or SD card, aimed at preserving the privacy and anonymity of the user.