The Tor Project has released version 4.0 of its popular eponymous browser that allows users to use the Internet anonymously and privately, and to circumvent online censorship and surveillance efforts by various countries.
Since the Tor Browser Bundle – now called only Tor Browser – includes a modified Mozilla Firefox ESR web browser, this new release features security updates for it that were incorporated in Firefox 31 ESR.
The team has also disabled SSLv3 in this release in order to protect users against POODLE attacks.
Another important change is the addition of three versions of meek, a pluggable transport that uses HTTP for carrying bytes and TLS for obfuscation.
Two of them – meek-amazon and meek-azure – at the moment allow users in mainland China to bypass the country’s Great Firewall but, according to the developers, “the meek transport still needs performance tuning before it matches other more conventional transports,” and they plan to work on it.
“This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work,” explained Tor Browser and Tor Performance Developer Mike Perry.
“Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help (‘?’) ‘about browser’ menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning and update package signatures. Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.”
A new version of Tails, the security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity, has also been released.