Tor Browser’s Internal Updater – Security Warning

Until further notice, it is recommended against using Tor Browser’s Internal Updater for security reasons.

More information and how to securely update is documented in the wiki, see:
https://www.whonix.org/wiki/Tor_Browser#Updating

User support discussion:
https://www.whonix.org/forum/index.php/topic,810

Forum development discussion:
https://www.whonix.org/forum/index.php/topic,807

Update:
The Tor Project has fixed this in TBB version 4.5a3. (As per blog post.)

Update 2:
At time of writing, currently advertised stable version is 4.5.1, that should no longer be affected by this issue.

Patrick Schleizer on sabbloggerPatrick Schleizer on sabemailPatrick Schleizer on sabfacebookPatrick Schleizer on sabgithubPatrick Schleizer on sabtwitter
Patrick Schleizer
Developer and maintainer at Whonix
Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in Whonix archived blog posts
2 comments on “Tor Browser’s Internal Updater – Security Warning
  1. Anonymous says:

    From the release notes for TBB 4.0:
    “This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the http://www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help (“?”) “about browser” menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.”

    Which would seem to indicate that it isn’t as bad as implied but still not for the ultra-paranoid though it still isn’t as clear as it perhaps should be.

  2. Anonymous says:

    I read this and I thought, NO DUH!

    I feel good downloading the browser but definitely not the internal updater.