Random User:
> Hi,
>
> Late last week ( no later than 17 September) my Tor Browser updated
> itself (after prompting me) to 6.0.5. Yet, the changelog (
> /tor-browser_en-US/Browser/TorBrowser/Docs/ChangeLog.txt ) gives the
> release date as September 20th (future date).
>
> Likewise, a September 12th email sent to the Tails-dev list with the
> subject, "New release schedule for Tails 2.6", begins,
>
>> So Mozilla has decided to delay the upcoming Firefox release until
>> 2016-09-20, so the upcoming Tor Browser (6.0.5) is delayed as much, and
>> hence Tails should follow suit.
>
> I'm just wondering what accounts for TB 6.0.5 being released at least
> several days ahead of the date announced (20 Sept.)
Mozilla badly messed up their certificate pinning, details can be found
here:
http://seclists.org/dailydave/2016/q3/51
So the Tor Browser developers decided (rightly) to release early since
Tor Browser enables automatic add-on update checks, which combined with
the above makes all its users open to remote code execution by any
adversary able to forge the addons.mozilla.org certificate (so any
Certificate Authority, nation state, your neighbour and his dog,
essentially). Tails' Tor Browser does not have automatic update checks
enabled (and we actively discourage users for messing with add-ons),
however, so we opted to not change the release date yet again.
And yes: this means that all Firefox users are still vulnerable to this
until they hopefully update Firefox tomorrow...
Cheers!
