Deal Alert: 49% Off on ExpressVPN
Touted as #1 VPN in the world, ExpressVPN is now offering 49% off & an additional 3-months of service on its annual plans.

ExpressVPN is widely known as the fastest and most secure VPN in the industry. With over 3,000 servers in 90+ countries, it is capable to unblock all geo-blocked services including Netflix, Amazon Prime Video, HBO+, and BBC iPlayer.

ExpressVPN app is available for nearly all the devices including Windows, macOS, Android, iOS, browsers, Firestick, and gaming consoles.

The Tor Project released on Friday version 6.0.5 of the Tor Browser. The update eliminates a critical issue in the browser’s HTTPS certificate pinning system that previously allowed the impersonation of Mozilla websites, as well as other domains.

tor-browser-update-fixes-critical-bug

The issue also affects Mozilla Firefox, claimed a security expert that goes by the alias @movrcx on Twitter. A patch was released to fix the issue on September 4, but it only took care of the bug in Nightly builds, leaving Firefox stable versions unpatched.

However, the issue is likely to be taken care of on September 20 with the release of Firefox 49.

Apparently, the genesis of the issue lies in Firefox’s unique method for handling certificate pinging, which happens to be totally different from the IETF-approved HPKP standard.

For the uninitiated, certificate pinging is basically an HTTPS feature that allows the browser to accept only one certificate key per domain.

According to Ryan Duff who confirmed the existence of the bug, Firefox doesn’t enforce certificate pinning after a certificate expires, but at the same time, it doesn’t show any verbose warning either.

Duff recommends that Tor Browser users should update to version 6.0.5 immediately. But just in case you are a Tor/Firefox user who doesn’t wish to upgrade right away, you might want to disable your automatic add-on update (which happens to be a feature in both these browsers).

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.