Tor Browser 6.0.7 is released
This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (126.96.36.199).
The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.
Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.
We will have alpha and hardened Tor Browser updates out shortly. In the meantime, users of these series can mitigate the security flaw in at least two ways:
1) Set the security slider to "High" as this is preventing the exploit from working.
2) Switch to the stable series until updates for alpha and hardened are available, too.
Here is the full changelog since 6.0.6:
- All Platforms
- Update Firefox to 45.5.1esr
- Update NoScript to 188.8.131.52
Those are not good recommendations. You should keep the updater enabled and if you want to have a more secure Tor Browser slide the security slider to a higher position. Otherwise you'll make you an easier fingerprinting target.
How does not downloading fonts make it less secure, we were hit by font exploits not long ago.
Addons has unique installation timestamps stored within firefox, I'd rather download addon updates manually, not have firefox phoning home all the time and tell them when and what addons i've installed.
Your advice is misleading at best.
Customizing individual settings makes your browser fingerprint more unique.
Disabling downloadable fonts will increase security if there's a vulnerability in the font parser, but when every client except yours downloads fonts, it can be told that the person visiting various pages is the same person; https://panopticlick.eff.org/
That's why the Tor project should disable SVG and downloadable fonts on "high" security slider setting, rather than recommending people to configure it manually.
Therr should, of course, be a choice to do it manually, but TBB should warn the user when a setting being changed can increase fingerprintability.
This is simply a tradeof between security and anonymity. The only way to have both is if the security slider does this, or an option is added to keep downloading them but just not parse them
fonts are usually on another server anyway (fonts.google.com)
NEVER DOWNLOAD ANY FONTS