Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results

The version 6.0 of Tor Browser, a free software for enabling anonymous communication, is now available to download. The new version introduces several changes, including disabling SHA-1 support, and removing Mac Gatekeeper issue. Another big change is that Tor now uses DuckDuckGo for search results by default. The Tor Project, people behind Tor, add that the "updater is not relying on the signature alone, but is checking the hash of the downloaded update file as well before applying it." More details on NetworkWorld.

Anonymous communication

[110010001000]

If "anonymous" means "monitored specifically because you are using Tor" then I guess the summary is correct.

Re:Anonymous communication

[NotInHere]

I often use tor not because I not want to be monitored by my government (not doing illegal things), but because I don't want to feed data to the ever hungry google and other companies.

Re:

[110010001000]

Good idea, but you can do what I do: never ever use the Internet.

Re: Anonymous communication

[um... Lucas]

I thought I was the only person who browsed slashdot through an IP over avian carrier connection.

Re:

[110010001000]

The birds are agents for THEM.

Re:

[lhowaf]

stool pigeons

Re:

[TimSSG]

Funny, I wish I had mod points. Tim S.

stool pigeons

Re:

[U2xhc2hkb3QgU3Vja3M]

Six digits is low ID? Wow.

Re:

[lgw]

The low end of six digits include plenty who were here from the earliest days. Many people didn't bother to get an account until karma was added, at which point the UIDs shot up to 200k or so as most people finally broke down and got an account.

Re:

[SegFault]

You kids these days...

Re:

[Insightfill]

Six digits is low ID? Wow.

I think it's a reference to "um... Lucas" above, with an ID of #13147. That's the lower end of FIVE digits, which is pretty good.

Re:

[110010001000]

Um, its a Dell. It ain't shitty!

Re:

[gweihir]

And there you have provided an excellent example of FUD. Are you paid to spread fear?

Re:

[110010001000]

Yes. You owe me $10.

Re:

[EvilSS]

I'm just waiting for the day we find out that DuckDuckGo is actually run by the NSA.

Re:

[gweihir]

Even if it is, unless you do something very stupid, they cannot easily identify you.

Re:

[MyFirstNameIsPaul]

DuckDuckGo is hosted on AWS, so there is nothing special about using it other than it isn't Google or Microsoft.

Signatures are hashes

[bluefoxlucid]

A digital signature is a hash that's been encrypted using a private key such that the public can verify its authenticity. Regardless of all attacks, if you have the public key, you can validate that the published hash is indeed published by a holder of the private key.

Verifying the digital signature of a download is done by computing the hash, verifying that hash, and verifying that the provided hash was encrypted with a public key matching a particular private key.

Tor basically said they're doing meaningless shit.

Re:

[gweihir]

And you just demonstrated that you have no clue what you are talking about as you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism. Verifying a signature means an asymmetric verification, no shared value involved.

Re:

[bluefoxlucid]

you just demonstrated that you have no clue what you are talking about

I suggest you put on a cup.

you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism.

A hash is usually called "one-way encryption." Hashes are MD5, SHA1, SHA256, and so forth. Checksums are a form of hash, thus CRC32 and the simple overflow checksum.

Hashes are not symmetric. Symmetric encryption uses a single key to encrypt and decrypt. Such algorithms include RC4, AES, DES, Twofish, Blowfish, and others.

Verifying a signature means an asymmetric verification, no shared value involved.

Except the signature is shared.

I refer you to this friendly diagram of digital signing [ttgtmedia.com]. As you can see, signing a message involves first computing the h

Re:

[gweihir]

You only have demonstrated that you do not even understand basic crypto terms. Nobody with even basic valid crypto knowledge would confuse hashes and encryption, for example. As to digital signatures, hashes are completely optional there and _only_ serve to improve efficiently, they do not serve a security function at all in that usage. You really are completely clueless, and you do not know it. You may also want to look up the "Dunning-Kuger Effect".

Re:

[bluefoxlucid]

First result for "one-way encryption":

Cryptographic hash function - Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/... [wikipedia.org]
Wikipedia
Hash functions based on block ciphers. There are several methods to use a block cipher to build a cryptographic hash function, specifically a one-way compression function. The methods resemble the block cipher modes of operation usually used for encryption.

This is common domain language among cryptographers [youtube.com].

You're the one who tried to imply hashes were symmetric.

As to digital signatures, hashes are completely optional there and _only_ serve to improve efficiently, they do not serve a security function at all in that usage.

Digital signatures are *defined* as using hashes; otherwise the message would only be *encrypted*--with a key everyone has, but without the ability to alter it. The key is called the certificate; the message is called ... the message. It's a signature *because* it uses a hash.

Your argument is consistently "You're a clueless idiot," and my response is cons

Re:

[gweihir]

Fascinating. If did not call you a clueless idiot before, but I will do so now. The term "one way encryption" is not used for cryto-hashes, and in particular it is not found on the wikipedia-page you link. Apparently, you did not read it. And while there are certainly crypto-hash constructions based on block-ciphers, this is not a defining characteristic at all, and these are usually slower than proper crypto hashes. I also never said crypto hashes were "symmetric". If you were actually able to read, you wo

Re:

[bluefoxlucid]

Fascinating. If did not call you a clueless idiot before, but I will do so now. The term "one way encryption" is not used for cryto-hashes, and in particular it is not found on the wikipedia-page you link.

I said it was the "first result on Google" because the Wikipedia page calls hashing a one-way function. If you actually googled one-way encryption [imgur.com], you would see such gems as "What is the most secure one-way encryption" and "one-way encryption means hashing".

I also never said crypto hashes were "symmetric". If you were actually able to read, you would have seen that I said that signatures based on hashes are symmetric signatures.

What you actually said was:

And you just demonstrated that you have no clue what you are talking about as you confused symmetric and asymmetric crypto. Here is a hint: Verifying a hash means to verify a shared, known good value, that is known-good by a different mechanism. Verifying a signature means an asymmetric verification, no shared value involved.

Now, how might I confuse symmetric and asymmetric crypto if verifying a signature is asymmetric?

If verifying a signature is asymmetric encryption, and I have confused the two by confusing a hash with a signature, then on

Should Mozilla embrace privacy?

[Anonymous Coward]

It's no secret that Firefox has been losing users left and right. The latest stats [caniuse.com] show that Firefox has only 6% to 7% of the market across all versions and all platforms. That puts it well below Chrome, and around the same level as niche browsers like iOS Safari and Opera Mini.

Lately, Firefox has been Mozilla's only successful product. Mozilla basically jettisoned Thunderbird, their other successful product. Other efforts like Persona and Firefox OS have been total failures. Bugzilla is ancient history. Ru

Re:

[b0bby]

Mozilla should embrace not sucking. I'm still using FF out of habit, but there are so many petty annoyances now that it's only a matter of time before I give up and switch to Chrome like most of my coworkers.

Re:

[mspohr]

Sorry to disappoint you but I just switched back to FireFox from Chrome for just these same reasons.
Chrome is slow and regularly pegs my CPU at 100% when I open a few (script-heavy) pages. Also, I found some UI choices odd and never got used to them. (Want to print? Chrome wants me to make a pdf. Really want to print? OK, extra steps.)
Switched back to FireFox a few weeks ago and it seems much faster, never pegs my CPU and I like the UI.
(20 tabs open now in two windows... love side tabs... CPU cool with it e

They should but do the opposite

[Errol backfiring]

Last time I got a survey from Mozilla about the wonderful new Mozilla account for firefox. They want to be chrome, including anything that takes away our privacy. Latest upgrades of firefox mainly contained front-ends to services that you wouldn't want to exists in firefox anyway.

DuckDuckGo?

[fustakrakich]

Powered by Bing, or Yahoo, etc, right? No thanks. Tor should run its own web crawler, something distributed or P2P like Yacy.

Irrelevant?

[mirdrack]

I thik this is a kind of irrelevant On these days is there a way to surf around the Internet anonymously or without being tracked, I think no

Didn't it always?

[thegarbz]

I thought Tor has always used DuckDuckGo by default.

DDG any good?

[Gussington]

I've tried DDG a few times and found it rather useless, in fact I've tried a few alternatives to Google and found them all wanting.
I thought since I have to use Google search, instead of trying to hide my search history and tracking etc, wouldn't it be a better strategy to run some script that simply lose my real searching and web use among tons of noise? If millions of people had a built-in browser script that mimicked search requests and a few clicks on a page Google's tracking data would be effectively