Tor Browser's Internal Updater - Security Warning

Patrick · December 7, 2014, 11:07pm

[html]

Until further notice, it is recommended against using Tor Browser’s Internal Updater for security reasons.

More information and how to securely update is documented in the wiki, see:

https://www.whonix.org/wiki/Tor_Browser#Updating

User support discussion:

https://www.whonix.org/forum/index.php/topic,810

Forum development discussion:

https://www.whonix.org/forum/index.php/topic,807

Update:

The Tor Project has fixed this in TBB version 4.5a3. (As per blog post.)

Update 2:

At time of writing, currently advertised stable version is 4.5.1, that should no longer be affected by this issue.

[/html]

system · December 10, 2014, 8:41am

[html]

From the release notes for TBB 4.0:

“This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help (“?”) “about browser” menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.”

Which would seem to indicate that it isn’t as bad as implied but still not for the ultra-paranoid though it still isn’t as clear as it perhaps should be.

[/html]

system · January 5, 2015, 11:30pm

[html]

I read this and I thought, NO DUH!

I feel good downloading the browser but definitely not the internal updater.

[/html]

Patrick · June 11, 2015, 1:21pm

At time of writing, currently advertised stable version is 4.5.1, that should no longer be affected by this issue.