Mike Perry:
Alright, new builds are up that should fix the above issue and also disable the two FTE bridges that changed fingerprints: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/
Let me know if anything else explodes. I hope to announce these ASAP.
Testing: TorBrowser-3.6-beta-2-osx32_en-US.dmg Platform: Mac OS X 10.9.2 (13C64) Processor: 2.3GHz Intel Core i7 Memory: 16 GB 1600 MHz DDR3 Graphics: NVIDIA GeForce GT 750M 2048 MB Display: 15-inch (2880 x 1800 Retina)
TBB Launches successfully: yes Connects to the Tor network: yes Browser toolbars and menus work, tab dragging works: yes
All extensions are present and functional: yes - HTTPS-Everywhere 3.4.5 - NoScript 2.6.8.19 - TorButton 1.6.8.1 - TorLauncher 0.2.5.3
WebBrowsing works as expected - HTTP, HTTPS, .onion browsing works - HTML5 videos work on http://videojs.com/ and YouTube - http://ip-check.info/?lang=en - ok - https://panopticlick.eff.org/ - only one in 505,378 , 18.95 bits of identifying information - html5demos.com/web-socket - Not Connected / Socket Closed
SOCKS/external apps work as expected: yes (Torbirdy & Bitcoin-QT)
--------------------------------------------------------------
Also: https://www.howsmyssl.com/ :
**Your SSL client is Bad.**
Bad: Your client is using TLS 1.0, which is very old, possibly susceptible to the BEAST attack, and doesn't have the best cipher suites available on it. Additions like AES-GCM, and SHA256 to replace MD5-SHA-1 are unavailable to a TLS 1.0 client as well as many more modern cipher suites.
Good: Ephemeral keys are used in some of the cipher suites your client supports. This means your client may be used to provide forward secrecy if the server supports it. This greatly increases your protection against snoopers, including global passive adversaries who scoop up large amounts of encrypted traffic and store them until their attacks (or their computers) improve.
Improvable: Session tickets are not supported in your client. Without them, services will have a harder time making your client's connections fast. Generally, clients with ephemeral key support get this for free.
Good: Your TLS client does not attempt to compress the settings that encrypt your connection, avoiding information leaks from the CRIME attack.
Good: Your client is not vulnerable to the BEAST attack. While it's using TLS 1.0 in conjunction with Cipher-Block Chaining cipher suites, it has implemented the 1/n-1 record splitting mitigation.
Bad: Your client supports cipher suites that are known to be insecure:
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: This cipher was meant to die with SSL 3.0 and is of unknown safety.
The cipher suites your client said it supports, in the order it sent them, are:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_SEED_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5