Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results (torproject.org)

Posted by msmash on from the browse-like-nobody-is-watching dept.

The version 6.0 of Tor Browser, a free software for enabling anonymous communication, is now available to download. The new version introduces several changes, including disabling SHA-1 support, and removing Mac Gatekeeper issue. Another big change is that Tor now uses DuckDuckGo for search results by default. The Tor Project, people behind Tor, add that the "updater is not relying on the signature alone, but is checking the hash of the downloaded update file as well before applying it." More details on NetworkWorld.

53 comments

  1. Anonymous communication by 110010001000 · · Score: 3, Insightful

    If "anonymous" means "monitored specifically because you are using Tor" then I guess the summary is correct.

    1. Re:Anonymous communication by Anonymous Coward · · Score: 0

      And thanks to this announcement, the FBI and NSA are checking Firefox 45 for exploitable vulnerabilities. Have fun in FPMITA prison.

    2. Re:Anonymous communication by NotInHere · · Score: 4, Informative

      I often use tor not because I not want to be monitored by my government (not doing illegal things), but because I don't want to feed data to the ever hungry google and other companies.

    3. Re:Anonymous communication by 110010001000 · · Score: 1

      Good idea, but you can do what I do: never ever use the Internet.

    4. Re: Anonymous communication by um...+Lucas · · Score: 2

      I thought I was the only person who browsed slashdot through an IP over avian carrier connection.

    5. Re:Anonymous communication by Anonymous Coward · · Score: 0

      Cool, can you post the # for the /. BBS? Don't hog that shit for yourself.

    6. Re: Anonymous communication by 110010001000 · · Score: 1

      The birds are agents for THEM.

    7. Re:Anonymous communication by Anonymous Coward · · Score: 0

      If only that were true. You're a low ID wanker, you couldn't pry yourself away from your shitty, decades old desktop machine if your life depended on it.

    8. Re:Anonymous communication by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Six digits is low ID? Wow.

    9. Re: Anonymous communication by Anonymous Coward · · Score: 0

      Why should he have to? Did LenPot add an amazing new feature that he can't live without?

    10. Re:Anonymous communication by 110010001000 · · Score: 2

      Um, its a Dell. It ain't shitty!

    11. Re:Anonymous communication by Anonymous Coward · · Score: 0

      Cool, can you post the # for the /. BBS? Don't hog that shit for yourself.

      Seriously I miss BBS and dial-up MODEMs. This always-on, always available World Wide Web is too easy and the mindless have flooded the noise-to-signal ratio.

    12. Re:Anonymous communication by gweihir · · Score: 1

      And there you have provided an excellent example of FUD. Are you paid to spread fear?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:Anonymous communication by lgw · · Score: 1

      The low end of six digits include plenty who were here from the earliest days. Many people didn't bother to get an account until karma was added, at which point the UIDs shot up to 200k or so as most people finally broke down and got an account.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    14. Re:Anonymous communication by Insightfill · · Score: 1

      Six digits is low ID? Wow.

      I think it's a reference to "um... Lucas" above, with an ID of #13147. That's the lower end of FIVE digits, which is pretty good.

    15. Re: Anonymous communication by lhowaf · · Score: 1

      stool pigeons

    16. Re: Anonymous communication by TimSSG · · Score: 1
      Funny, I wish I had mod points. Tim S.

      stool pigeons

    17. Re:Anonymous communication by 110010001000 · · Score: 1

      Yes. You owe me $10.

    18. Re:Anonymous communication by SegFault · · Score: 1

      You kids these days...

    19. Re:Anonymous communication by Anonymous Coward · · Score: 0

      Dude. -PCP

  2. DuckDuckGo Tor Hidden Service by Anonymous Coward · · Score: 0

    http://3g2upl4pq6kufc4m.onion/

    1. Re:DuckDuckGo Tor Hidden Service by EvilSS · · Score: 2

      I'm just waiting for the day we find out that DuckDuckGo is actually run by the NSA.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    2. Re:DuckDuckGo Tor Hidden Service by gweihir · · Score: 1

      Even if it is, unless you do something very stupid, they cannot easily identify you.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:DuckDuckGo Tor Hidden Service by MyFirstNameIsPaul · · Score: 1

      DuckDuckGo is hosted on AWS, so there is nothing special about using it other than it isn't Google or Microsoft.

      --

      I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

  3. Tails 2.4 release is coming soon! 2016-06-07 by Anonymous Coward · · Score: 0

    https://tails.boum.org/contrib...

    They're currently TESTING a RC:
    https://tails.boum.org/news/te...

  4. And here by Anonymous Coward · · Score: 0

    Ive been looking for an alt to ddg since it started requesting yahoo.net before it'd display search results this weekend.

    1. Re:And here by Anonymous Coward · · Score: 0

      https://www.ixquick.com/

  5. Signatures are hashes by bluefoxlucid · · Score: 3, Informative

    A digital signature is a hash that's been encrypted using a private key such that the public can verify its authenticity. Regardless of all attacks, if you have the public key, you can validate that the published hash is indeed published by a holder of the private key.

    Verifying the digital signature of a download is done by computing the hash, verifying that hash, and verifying that the provided hash was encrypted with a public key matching a particular private key.

    Tor basically said they're doing meaningless shit.

    --
    Support my political activism on Patreon.
    1. Re:Signatures are hashes by gweihir · · Score: 1

      And you just demonstrated that you have no clue what you are talking about as you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism. Verifying a signature means an asymmetric verification, no shared value involved.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Signatures are hashes by bluefoxlucid · · Score: 1

      you just demonstrated that you have no clue what you are talking about

      I suggest you put on a cup.

      you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism.

      A hash is usually called "one-way encryption." Hashes are MD5, SHA1, SHA256, and so forth. Checksums are a form of hash, thus CRC32 and the simple overflow checksum.

      Hashes are not symmetric. Symmetric encryption uses a single key to encrypt and decrypt. Such algorithms include RC4, AES, DES, Twofish, Blowfish, and others.

      Verifying a signature means an asymmetric verification, no shared value involved.

      Except the signature is shared.

      I refer you to this friendly diagram of digital signing. As you can see, signing a message involves first computing the hash value, and then encrypting it with the private key; verification of the signature involves decrypting the hash with the public key and comparing it to the hash of the message. A PGP signed message starts as follows:

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Now let's re-read what I said:

      A digital signature is a hash that's been encrypted using a private key such that the public can verify its authenticity. Regardless of all attacks, if you have the public key, you can validate that the published hash is indeed published by a holder of the private key.

      Verifying the digital signature of a download is done by computing the hash, verifying that hash, and verifying that the provided hash was encrypted with a public key matching a particular private key.

      As I have demonstrated, a digital signature is indeed an encrypted hash. That hash can be replaced by a man-in-the-middle attack, but there is no way for an attacker without the private key to digitally encrypt the hash in such a way that it will verify correctly using the expected public key. Thus the hash is verifiable, and an adulterated hash is non-verifiable.

      If your hash is a published MD5 or SHA256 with no encryption (not a signature), a man-in-the-middle can replace the original program *and* the hash with the non-cryptographically-verifiable values. The integrity check will succeed so long as the file isn't damaged, and the authenticity cannot be checked.

      Thus a digital signature *is* a hash, performs all the functions of a hash, and additionally performs authentication.

      --
      Support my political activism on Patreon.
    3. Re:Signatures are hashes by gweihir · · Score: 1

      You only have demonstrated that you do not even understand basic crypto terms. Nobody with even basic valid crypto knowledge would confuse hashes and encryption, for example. As to digital signatures, hashes are completely optional there and _only_ serve to improve efficiently, they do not serve a security function at all in that usage. You really are completely clueless, and you do not know it. You may also want to look up the "Dunning-Kuger Effect".

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Signatures are hashes by Anonymous Coward · · Score: 0

      A digital signature is a hash that's been encrypted using a private key such that the public can verify its authenticity. Regardless of all attacks, if you have the public key, you can validate that the published hash is indeed published by a holder of the private key.

      Sure, but first you have to validate the source of the public key.
      Most people and organizations you want to avoid are capable of setting up a keys for verification so you need to make sure that you got a public key from before the page you are downloading for was taken over.

    5. Re:Signatures are hashes by Anonymous Coward · · Score: 0

      I can't believe you keep posting as non-A/C. gweihir.bozo = true;

    6. Re:Signatures are hashes by bluefoxlucid · · Score: 1

      First result for "one-way encryption":

      Cryptographic hash function - Wikipedia, the free encyclopedia
      https://en.wikipedia.org/wiki/...
      Wikipedia
      Hash functions based on block ciphers. There are several methods to use a block cipher to build a cryptographic hash function, specifically a one-way compression function. The methods resemble the block cipher modes of operation usually used for encryption.

      This is common domain language among cryptographers.

      You're the one who tried to imply hashes were symmetric.

      As to digital signatures, hashes are completely optional there and _only_ serve to improve efficiently, they do not serve a security function at all in that usage.

      Digital signatures are *defined* as using hashes; otherwise the message would only be *encrypted*--with a key everyone has, but without the ability to alter it. The key is called the certificate; the message is called ... the message. It's a signature *because* it uses a hash.

      Your argument is consistently "You're a clueless idiot," and my response is consistently to point to standard first-week concepts in cryptography. I'm not sure where you studied cryptography, but I suggest you go get your money back.

      --
      Support my political activism on Patreon.
    7. Re:Signatures are hashes by gweihir · · Score: 1

      Fascinating. If did not call you a clueless idiot before, but I will do so now. The term "one way encryption" is not used for cryto-hashes, and in particular it is not found on the wikipedia-page you link. Apparently, you did not read it. And while there are certainly crypto-hash constructions based on block-ciphers, this is not a defining characteristic at all, and these are usually slower than proper crypto hashes. I also never said crypto hashes were "symmetric". If you were actually able to read, you would have seen that I said that signatures based on hashes are symmetric signatures. That is a rather large difference. Incidentally, many asymmetric signature algorithms do not need hashes at all, they just become slow and tedious without them. They are certainly not "defined" that way at all and they are not based on them either, because it is not the hash that provides the security functionality. The hash serves to speed things up and make the signed message smaller, but that is it.

      I would however say that the gem in your collection is confusing certificates and keys. That is priceless to anybody with some real crypto knowledge.

      Listen kid, get at least crypto 101 before you try to tussle with somebody on PhD level in the security field. You are so outclassed it is not funny anymore.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re:Signatures are hashes by bluefoxlucid · · Score: 1

      Fascinating. If did not call you a clueless idiot before, but I will do so now. The term "one way encryption" is not used for cryto-hashes, and in particular it is not found on the wikipedia-page you link.

      I said it was the "first result on Google" because the Wikipedia page calls hashing a one-way function. If you actually googled one-way encryption, you would see such gems as "What is the most secure one-way encryption" and "one-way encryption means hashing".

      I also never said crypto hashes were "symmetric". If you were actually able to read, you would have seen that I said that signatures based on hashes are symmetric signatures.

      What you actually said was:

      And you just demonstrated that you have no clue what you are talking about as you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism. Verifying a signature means an asymmetric verification, no shared value involved.

      Now, how might I confuse symmetric and asymmetric crypto if verifying a signature is asymmetric?

      If verifying a signature is asymmetric encryption, and I have confused the two by confusing a hash with a signature, then one must conclude a hash is symmetric encryption; however, a hash is only ever referred to as "one-way encryption", never "symmetric encryption." You made a logical proposition to the contrary.

      Further, you proposed that a signature doesn't rely on a shared value. That is patently impossible: some data must be shared to verify that data. In all digital signature algorithms--RSA, DSA, ECC, DH--on all protocols, this is a hash. TLS exchanges keys signed by certificate authorities; modern browsers are rejecting keys signed with old hash algorithms (SHA1) and requiring SHA2, even though the signature still encrypts the has using RSA. Why would it matter, if digital signatures didn't use hashes?

      Listen kid, get at least crypto 101 before you try to tussle with somebody on PhD level in the security field. You are so outclassed it is not funny anymore.

      Your Ph.D. from 1940 doesn't make you right. Either you weren't paying attention in class or times have changed in the past 80 years. I started studying cryptography in 2003; maybe you should catch up to the modern century.

      --
      Support my political activism on Patreon.
  6. Should Mozilla embrace privacy? by Anonymous Coward · · Score: 2, Interesting

    It's no secret that Firefox has been losing users left and right. The latest stats show that Firefox has only 6% to 7% of the market across all versions and all platforms. That puts it well below Chrome, and around the same level as niche browsers like iOS Safari and Opera Mini.

    Lately, Firefox has been Mozilla's only successful product. Mozilla basically jettisoned Thunderbird, their other successful product. Other efforts like Persona and Firefox OS have been total failures. Bugzilla is ancient history. Rust hasn't accomplished much. Servo isn't going anywhere. Firefox is the only thing keeping Mozilla barely relevant.

    It's clear why people have left Firefox: numerous awful UI changes, the inclusion of other unwanted changes like Hello and Pocket, and poor performance.

    But what could bring people back to Firefox?

    Fixing the UI, usability and performance issues would be a good start, of course. But that wouldn't be enough.

    I think that Mozilla and Firefox should embrace privacy. That doesn't necessarily mean using Tor, of course. But privacy should become one of their main focuses.

    Instead of being known as the browser that's slow, bloated, and a cheap imitation of Chrome, Firefox could become known as the browser that maximizes user privacy. With an improved reputation and an improved user experience, Firefox could very well make a comeback against Chrome and its other competitors.

    1. Re:Should Mozilla embrace privacy? by b0bby · · Score: 1

      Mozilla should embrace not sucking. I'm still using FF out of habit, but there are so many petty annoyances now that it's only a matter of time before I give up and switch to Chrome like most of my coworkers.

    2. Re:Should Mozilla embrace privacy? by Anonymous Coward · · Score: 0

      But what could bring people back to Firefox?

      Remember when Firefox was the new up-and-coming lean web browser? It garnered massive support from users who donated money to its development and/or advertising in major newspapers at initial release. Oh Firefox how far thou hast strayed from the path of cleanliness, righteousness, and purity. It has been years since I used Mozilla Firefox on a regular basis.

    3. Re:Should Mozilla embrace privacy? by mspohr · · Score: 1

      Sorry to disappoint you but I just switched back to FireFox from Chrome for just these same reasons.
      Chrome is slow and regularly pegs my CPU at 100% when I open a few (script-heavy) pages. Also, I found some UI choices odd and never got used to them. (Want to print? Chrome wants me to make a pdf. Really want to print? OK, extra steps.)
      Switched back to FireFox a few weeks ago and it seems much faster, never pegs my CPU and I like the UI.
      (20 tabs open now in two windows... love side tabs... CPU cool with it even though I also have FreeMind, LibreOffice, gedit, and a few other Java programs running)
      YMMV

      --
      I don't read your sig. Why are you reading mine?
  7. plan9, when you need a friend. by Anonymous Coward · · Score: 0

    "If "anonymous" means "monitored specifically because you are using Tor" then I guess the summary is correct."

    And yet they've said more people browsing clearnet is helping to hide government activities on the clearnet using Tor, so those of us browsing boring clearnet sites provides cover traffic for them, or so I've read.

    These days, if you talk to someone who is fooled by the two party monopoly, and/or entertain conspiracy theories, you can make a wonderful list (I would imagine). Especially 9/11 "truthers."

    "Cypher: You know, I know this steak doesn't exist. I know that when I put it in my mouth, the Matrix is telling my brain that it is juicy and delicious. After nine years, you know what I realize?

    [Takes a bite of steak]

    Cypher: Ignorance is bliss."

  8. DuckDuckGo by Anonymous Coward · · Score: 0

    DDG or DDG HTML? Normal DDG has a bunch of scripts like other web sites - do you know what they're doing? Yes, they say they don't track you, but didn't they recently get bought by $bigcompany? Still better than Google though.

  9. DuckDuckGo? by fustakrakich · · Score: 1

    Powered by Bing, or Yahoo, etc, right? No thanks. Tor should run its own web crawler, something distributed or P2P like Yacy.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:DuckDuckGo? by Anonymous Coward · · Score: 0

      Was that a rhetorical question? Oh I get it, you are morally unable to do a web search on it so your ignorance is somewhat charming.

    2. Re:DuckDuckGo? by Anonymous Coward · · Score: 0

      > Yacy

      Nice idea, but, Java?

  10. [NO CARRIER] by Anonymous Coward · · Score: 0

    maybe so. maybe their .onion hidden service is a honeypot run by the NSA.

    maybe the Facebook .onion hidden service is a honeypot run by the NSA.

    maybe Tor is a honeypot run by the ())FZXxxxxxxxxx

    [NO CARRIER]

  11. Irrelevant? by mirdrack · · Score: 1

    I thik this is a kind of irrelevant On these days is there a way to surf around the Internet anonymously or without being tracked, I think no

  12. Didn't it always? by thegarbz · · Score: 1

    I thought Tor has always used DuckDuckGo by default.

    1. Re:Didn't it always? by Anonymous Coward · · Score: 0

      It previously used Disconnect.me which had anonymous searching on Google and Bing, but they lost support for that and kept redirecting to Duckduckgo instead.

  13. Relay node brah by Anonymous Coward · · Score: 0

    Get a load of this guy, he thinks they'll monitor him less if he doesn't upset the masters.

  14. DDG any good? by Gussington · · Score: 1

    I've tried DDG a few times and found it rather useless, in fact I've tried a few alternatives to Google and found them all wanting.
    I thought since I have to use Google search, instead of trying to hide my search history and tracking etc, wouldn't it be a better strategy to run some script that simply lose my real searching and web use among tons of noise? If millions of people had a built-in browser script that mimicked search requests and a few clicks on a page Google's tracking data would be effectively useless.

    1. Re:DDG any good? by Anonymous Coward · · Score: 0

      I don't think you realize how much of Googles search function is tailored to you based on the tracking it does.
      Try doing a search with startpage and compare it to the results you get form a regular Google search.
      If you start injecting noise into Googles tracking then your search results will be like if Bing and Yahoo had a child.

  15. They should but do the opposite by Errol+backfiring · · Score: 1

    Last time I got a survey from Mozilla about the wonderful new Mozilla account for firefox. They want to be chrome, including anything that takes away our privacy. Latest upgrades of firefox mainly contained front-ends to services that you wouldn't want to exists in firefox anyway.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!