"This vulnerability allows the plaintext of secure connections to be calculated by a network attacker," said Bodo Möller of the Google Security Team. "If a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serve side interoperability bugs."
"More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses," Tor Browser and Tor Performance Developer Mike Perry explained in a blog post.
"This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work," reads the blog post. "Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option."
"Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures."