The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR. More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses.
This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the http://www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures ......
Checker wrote:@ TP109: There's a 'no install' version for GNU/Linux, but the version for Windows is an installer.
The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained. https://www.torproject.org/projects/torbrowser.html.en
see the instructions for Windows below the Download button.
The Tor Project information is spread over several different sites. Anyway, hopefully the above answers any questions. According to them, the project is still portable (maybe a need to verify that?).
Even though the name (4.0.1/torbrowser-install-4.0.1_en-US.exe) is misleading because it includes "install" in the filename, it didn't create any links, folders outside of the application, or registry entries; at least according to my tests. So what Tor stated as it being self-contained is true - there isn't a separate "portable" version. Simply double-click the installer and extract to the folder of your choice.
"Authorities" are fu.king scared and pissed of our anonymity and they fu.king never stop! I'm not sure that the "Russian hacker" isn't theirs and I didn't loose faith in TOR, nor will I stop using it (although I don't push its limits).
Any router on the Internet would be able to modify binaries like that. I believe the attacker here used Tor because anyone can create a Tor exit node.
There are only three defenses against this attack I can think of:
Checking hashes of binaries you download from the Internet using any file integrity checker.
Downloading binaries via a connection encrypted with TLS (not SSL, because the POODLE attack is the final blow to the security of SSL).
Knowing if the binary should be digitally signed (extremely popular software such as Firefox usually is) and not running the binary if it isn't signed.
Unfortunately there are thousands of freeware programs for which none of these defenses are available.
I must confess that I hadn't quite groked that one. Basically, what you saying is that as long as I haven't deliberately executed something gotten off TOR and about whose details I wasn't absolutely sure, I'd be alright?
Midas wrote:Basically, what you saying is that as long as I haven't deliberately executed something gotten off TOR and about whose details I wasn't absolutely sure, I'd be alright?
I think if you're running Tor in the first place, you're probably paranoid enough to be willing to use a hash program to verify integrity. It would be ideal if Tor Browser integrated a hash tool into their browser downloads so you could very quickly check this. Maybe http://www.ghacks.net/2011/12/06/genera ... n-firefox/ (unfortunately this doesn't really explain what file hashing is so this would be limited to someone who looks into that). Tough call.
SYSTEM wrote:There are only three defenses against this attack I can think of
Some possibilities I thought of:
You could also run a VPN through TOR, assuming you trust the exit node. It would probably slow down your connection a little, but not substantially.
Only download from a site that uses SSL/TLS (and of course don't bypass a "bad certificate" msg that could be a man-in-the-middle attack)
The hash database VirusTotal does a fairly good job of recognizing binaries, although it's not kept up to date with the latest and greatest. New programs wouldn't get recognized.
