Tails 7.6 Hides Bridge Requests Behind CDN Traffic

Tails 7.6 dropped today with automatic Tor bridge fetching that uses domain fronting to hide bridge requests from censors, a new password manager that trades power features for accessibility, and an Electrum wallet upgrade that skipped 18 months of releases.

The bridge configuration is the big one for people in censored regions. When you select "Connect to Tor automatically" and the connection fails, Tails now offers a button that says "Ask for a Tor bridge based on your region." Behind that button is the Moat API, the Tor Project's bridge distribution system, and Tails disguises the connection to Moat using domain fronting, a technique that exploits the gap between two layers of HTTPS to make a request look like it's going to an unrelated website.

From what I found, the TLS handshake sends one hostname in the SNI field, which the censor can see, while the actual HTTP Host header inside the encrypted tunnel points to Tor Project infrastructure. The CDN edge server terminates TLS, reads the real Host header, and forwards the request to the Moat endpoint. The censor sees a connection to some random CDN domain and has no idea bridges are being fetched. Russia tried blocking this approach in 2018 by banning 15.8 million Google and Amazon IP addresses, and it still failed to stop Telegram from using the same technique. For anyone in Iran, China, or Russia trying to get on Tor through Tails, this is the most meaningful upgrade in years because it automates a process that previously required finding bridges manually through secondary channels.

Ok so the other headline change is that GNOME Secrets replaces KeePassXC as the default password manager, and this one is going to annoy some people. The Tails team laid out the reasoning on GitLab: KeePassXC is a Qt-based app that broke GNOME's on-screen keyboard and cursor scaling features, which made Tails unusable for people who rely on accessibility tools. GNOME Secrets is a native GTK4/libadwaita app, so those features work again.

The Electrum upgrade in this release is enormous. Tails jumped from Electrum 4.5.8 to 4.7.0, skipping three point releases across two minor versions and nearly 18 months of development. The 4.6.0 release alone brought submarine swaps over Nostr (decentralized swap provider discovery where anyone can run a server), anchor channels as the default for new Lightning channels, a complete Qt5-to-Qt6 migration, a third-party plugin system, and Nostr Wallet Connect for remote wallet control via NIP-47. Electrum 4.7.0 then added submarine payments from Lightning to on-chain addresses and LNURL-Withdraw support for receiving funds from ATMs and vouchers. The Electrum team also discovered that malicious bitcoin addresses were being injected into translated UI strings, and upstream releases after 4.7.0 added automated safeguards using regex patterns and an LLM proofreader to catch translation vandalism before it ships. If you're running Electrum through Tails and sending bitcoin, you want this version.

Tor Browser is updated to 15.0.8, based on Firefox ESR 140.9.0, and this one's a security dump. Mozilla's security advisory MFSA 2026-22 lists over 30 CVEs backported from Firefox 149, with 15+ rated high severity. The ones that should concern you: CVE-2026-4688 is a use-after-free in Disability Access APIs that enables sandbox escape, CVE-2026-4692 is a sandbox escape through Responsive Design Mode, and CVE-2026-4691 is a use-after-free in CSS parsing. Mozilla's fuzzing team also found memory safety bugs with evidence of memory corruption in CVE-2026-4720 and CVE-2026-4721, and the advisory flat out says they presume some could be exploited for arbitrary code execution.

Thunderbird moves to 140.8.0, patching CVE-2026-2778 (a sandbox escape via boundary conditions in DOM: Core & HTML) and CVE-2026-2793 (boundary conditions in WebRTC). Mozilla says these can't usually be exploited through email because Thunderbird disables scripting when reading mail, but they're still risks in browser-like contexts within the client. Starting with Tails 7.5, Thunderbird is installed via Persistent Storage rather than bundled in the base image, and starting with Tails 7.8 (expected May 2026), Thunderbird will be removed from the default image entirely. If you use email on Tails, configure your Persistent Storage now.

Firmware packages got updated for better hardware support, and they fixed three smaller things: the confirmation dialog for USB stick language settings now actually translates properly, the "Learn More" button in the Thunderbird migration notification works now, and automated upgrades stopped breaking in Turkish.

The last three months tell you everything about why you want this update. Tails 7.4.1 was an emergency release for critical OpenSSL vulnerabilities where "a malicious Tor relay might be able to deanonymize a Tails user." Tails 7.4.2 was another emergency release for Linux kernel privilege escalation bugs that Tails described as exploitable by "a strong attacker, such as a government or a hacking firm." This is a scheduled release, it is cumulative, and automatic upgrades work from Tails 7.0 onward. Update.