• United States



Tor Browser 6.0: Ditches SHA-1 support, uses DuckDuckGo for default search results

May 31, 20163 mins
Data and Information SecuritySecurity

A stable Tor Browser 6.0 has been released; it disabled SHA-1 support, got rid of the Mac Gatekeeper problem, and switched its default search results to DuckDuckGo.

Tor Browser 6.0 is out. If you have been using Tor, you can upgrade it via its built-in updater. The Tor Project said the “updater is not relying on the signature alone, but is checking the hash of the downloaded update file as well before applying it.” Additionally, the Tor Browser Windows installer is no longer vulnerable to DLL hijacking.

DuckDuckGo for default search results

The Tor Browser Team is still using Disconnect as its search provider, but it switched to DuckDuckGo to provide the default search results. In short, the reason is that Bing search results were simply not cutting it. The team explained:

Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers.

You can still chose Bing or Yahoo if you so desire, but Google hasn’t been an option for some time. After Google banned Disconnect for Android in 2014, Disconnect filed an anti-trust complaint with European regulators and accused Google of abusive conduct. DDG is better at any rate, IMHO.

Killing off SHA-1 support

Tor Browser 6.0 has disabled support for SHA-1 certificates. Tor is ahead of the pack.

Microsoft intends to stop considering SHA-1 certificates to be secure for Edge and IE when it rolls out the Windows 10 Anniversary Update, but will not start blocking SHA-1 signed TLS certificates until 2017. Mozilla was shooting for January 1, 2017, as the date to start rejecting all SHA-1 SSL certificates, but said it was considering pushing the cut-off date to as early as July 1, 2016. Chrome, too, had planned to block all SHA-1 certificates starting in January 2017, but said it might push up the date to July 1, 2016.

The first stable release of Tor Browser 6.0 uses the core Firefox build Firefox 45-ESR (Extended Support Release), meaning better HTML5 support, such as for YouTube. Tor blocks Flash and some other plugins, but if you want Tor to really work, then you should avoid installing any add-ons or plugins since that can “harm your anonymity and privacy.”

Privacy enhancements

6.0 includes “new privacy enhancements,” although those were not specified. Some features were disabled if the team didn’t have time to fix the issues or if they decided the features were “potentially harmful in a Tor Browser context.”

Tor Browser for Mac minus Gatekeeper problems

Mac users should be rejoicing since 6.0 includes code-signing of OS X and should do away with Gatekeeper issues that make it a challenge to run Tor on a Mac.

You can check out the full changelog provided on the Tor Project post announcing the stable release of Tor Browser 6.0. If you don’t already have Tor, then I encourage to do download it for your box, be that Windows, Mac or Linux.

It’s not a silver bullet guaranteed to protect your privacy, but it helps. You might consider combining Tor with a VPN for added privacy and security.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.