Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet

Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results (torproject.org) 53

The version 6.0 of Tor Browser, a free software for enabling anonymous communication, is now available to download. The new version introduces several changes, including disabling SHA-1 support, and removing Mac Gatekeeper issue. Another big change is that Tor now uses DuckDuckGo for search results by default. The Tor Project, people behind Tor, add that the "updater is not relying on the signature alone, but is checking the hash of the downloaded update file as well before applying it." More details on NetworkWorld.
This discussion has been archived. No new comments can be posted.

Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results

Comments Filter:
  • by 110010001000 ( 697113 ) on Tuesday May 31, 2016 @11:51AM (#52218073) Homepage Journal
    If "anonymous" means "monitored specifically because you are using Tor" then I guess the summary is correct.
  • by bluefoxlucid ( 723572 ) on Tuesday May 31, 2016 @12:18PM (#52218379) Homepage Journal

    A digital signature is a hash that's been encrypted using a private key such that the public can verify its authenticity. Regardless of all attacks, if you have the public key, you can validate that the published hash is indeed published by a holder of the private key.

    Verifying the digital signature of a download is done by computing the hash, verifying that hash, and verifying that the provided hash was encrypted with a public key matching a particular private key.

    Tor basically said they're doing meaningless shit.

    • by gweihir ( 88907 )

      And you just demonstrated that you have no clue what you are talking about as you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism. Verifying a signature means an asymmetric verification, no shared value involved.

      • you just demonstrated that you have no clue what you are talking about

        I suggest you put on a cup.

        you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism.

        A hash is usually called "one-way encryption." Hashes are MD5, SHA1, SHA256, and so forth. Checksums are a form of hash, thus CRC32 and the simple overflow checksum.

        Hashes are not symmetric. Symmetric encryption uses a single key to encrypt and decrypt. Such algorithms include RC4, AES, DES, Twofish, Blowfish, and others.

        Verifying a signature means an asymmetric verification, no shared value involved.

        Except the signature is shared.

        I refer you to this friendly diagram of digital signing [ttgtmedia.com]. As you can see, signing a message involves first computing the h

        • by gweihir ( 88907 )

          You only have demonstrated that you do not even understand basic crypto terms. Nobody with even basic valid crypto knowledge would confuse hashes and encryption, for example. As to digital signatures, hashes are completely optional there and _only_ serve to improve efficiently, they do not serve a security function at all in that usage. You really are completely clueless, and you do not know it. You may also want to look up the "Dunning-Kuger Effect".

          • First result for "one-way encryption":

            Cryptographic hash function - Wikipedia, the free encyclopedia
            https://en.wikipedia.org/wiki/... [wikipedia.org]
            Wikipedia
            Hash functions based on block ciphers. There are several methods to use a block cipher to build a cryptographic hash function, specifically a one-way compression function. The methods resemble the block cipher modes of operation usually used for encryption.

            This is common domain language among cryptographers [youtube.com].

            You're the one who tried to imply hashes were symmetric.

            As to digital signatures, hashes are completely optional there and _only_ serve to improve efficiently, they do not serve a security function at all in that usage.

            Digital signatures are *defined* as using hashes; otherwise the message would only be *encrypted*--with a key everyone has, but without the ability to alter it. The key is called the certificate; the message is called ... the message. It's a signature *because* it uses a hash.

            Your argument is consistently "You're a clueless idiot," and my response is cons

            • by gweihir ( 88907 )

              Fascinating. If did not call you a clueless idiot before, but I will do so now. The term "one way encryption" is not used for cryto-hashes, and in particular it is not found on the wikipedia-page you link. Apparently, you did not read it. And while there are certainly crypto-hash constructions based on block-ciphers, this is not a defining characteristic at all, and these are usually slower than proper crypto hashes. I also never said crypto hashes were "symmetric". If you were actually able to read, you wo

              • Fascinating. If did not call you a clueless idiot before, but I will do so now. The term "one way encryption" is not used for cryto-hashes, and in particular it is not found on the wikipedia-page you link.

                I said it was the "first result on Google" because the Wikipedia page calls hashing a one-way function. If you actually googled one-way encryption [imgur.com], you would see such gems as "What is the most secure one-way encryption" and "one-way encryption means hashing".

                I also never said crypto hashes were "symmetric". If you were actually able to read, you would have seen that I said that signatures based on hashes are symmetric signatures.

                What you actually said was:

                And you just demonstrated that you have no clue what you are talking about as you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism. Verifying a signature means an asymmetric verification, no shared value involved.

                Now, how might I confuse symmetric and asymmetric crypto if verifying a signature is asymmetric?

                If verifying a signature is asymmetric encryption, and I have confused the two by confusing a hash with a signature, then on

  • by Anonymous Coward

    It's no secret that Firefox has been losing users left and right. The latest stats [caniuse.com] show that Firefox has only 6% to 7% of the market across all versions and all platforms. That puts it well below Chrome, and around the same level as niche browsers like iOS Safari and Opera Mini.

    Lately, Firefox has been Mozilla's only successful product. Mozilla basically jettisoned Thunderbird, their other successful product. Other efforts like Persona and Firefox OS have been total failures. Bugzilla is ancient history. Ru

    • by b0bby ( 201198 )

      Mozilla should embrace not sucking. I'm still using FF out of habit, but there are so many petty annoyances now that it's only a matter of time before I give up and switch to Chrome like most of my coworkers.

    • by mspohr ( 589790 )

      Sorry to disappoint you but I just switched back to FireFox from Chrome for just these same reasons.
      Chrome is slow and regularly pegs my CPU at 100% when I open a few (script-heavy) pages. Also, I found some UI choices odd and never got used to them. (Want to print? Chrome wants me to make a pdf. Really want to print? OK, extra steps.)
      Switched back to FireFox a few weeks ago and it seems much faster, never pegs my CPU and I like the UI.
      (20 tabs open now in two windows... love side tabs... CPU cool with it e

    • Last time I got a survey from Mozilla about the wonderful new Mozilla account for firefox. They want to be chrome, including anything that takes away our privacy. Latest upgrades of firefox mainly contained front-ends to services that you wouldn't want to exists in firefox anyway.
  • Powered by Bing, or Yahoo, etc, right? No thanks. Tor should run its own web crawler, something distributed or P2P like Yacy.

  • I thik this is a kind of irrelevant On these days is there a way to surf around the Internet anonymously or without being tracked, I think no
  • I thought Tor has always used DuckDuckGo by default.

  • I've tried DDG a few times and found it rather useless, in fact I've tried a few alternatives to Google and found them all wanting.
    I thought since I have to use Google search, instead of trying to hide my search history and tracking etc, wouldn't it be a better strategy to run some script that simply lose my real searching and web use among tons of noise? If millions of people had a built-in browser script that mimicked search requests and a few clicks on a page Google's tracking data would be effectively

Make sure your code does nothing gracefully.

Working...