v0.6.0
Security
-
SAFECOOKIE on Tor control port : authentication now uses SAFECOOKIE (spec 193, HMAC-SHA256 challenge/response) instead of plain COOKIE. The cookie file is never sent in cleartext over the TCP socket.
-
Config integrity : torshield.json is signed with HMAC-SHA256 using a key stored in the macOS Keychain. Any external alteration is detected at load time - config resets to defaults instead of being silently applied.
-
Secure PRNG : rand_bytes() replaced by getrandom::fill() which calls getentropy(2) directly on macOS. The previous clock fallback produced predictable MAC addresses on /dev/urandom failure.
-
ts_helper SUID - tee removed : /usr/bin/tee was in the SUID whitelist (GTFOBins: arbitrary root file write). Replaced by an internal write-pf-conf verb with /etc/pf.conf hardcoded in C and O_NOFOLLOW on open().
-
ensure_helper() - symlink attack : helper binary now compiled in /tmp with an unpredictable random name (O_CREAT|O_EXCL), symlink check post-compilation before elevation.
-
pf anchor - table placement : table <apple_relay> moved from anchor file into /etc/pf.conf. Tables in anchors cause silent boot failures on macOS.
-
user.js strip() : exact prefix match on user_pref("...") lines only - no longer removes comments or third-party prefs.
-
CanvasBlocker downloaded via Tor : XPI now fetched through socks5h://127.0.0.1:9050.