Tails 7.7 Brings Secure Boot Warnings and Tor Browser Upgrades to Your Privacy Setup
Tails 7.7 lands with a few practical fixes that actually matter for people running this portable operating system on real hardware. The update pushes Tor Browser to version 15.0.10, bumps Thunderbird to 140.9.1, and finally addresses a permissions glitch in the root directory. Most importantly, it adds a warning about outdated Secure Boot certificates before they cause boot failures next year.
Warning About Expiring Secure Boot Certificates
Microsoft has been quietly rotating out the original Secure Boot certificates issued back in 2011, and those older keys start expiring in June 2026. The new version scans the system during startup and pops up a notification if it detects an outdated certificate chain. This matters because many privacy focused workstations still run on older motherboards or custom firmware setups that never received a proper BIOS update. Field reports show machines with legacy UEFI implementations simply refusing to boot once those certificates vanish, leaving users staring at a black screen while encrypted drives sit locked. The notification gives operators enough time to flash updated firmware or disable Secure Boot entirely before the deadline arrives.
Tor Browser and Thunderbird Get Routine Upgrades
The portable browser moves to version 15.0.10, which is built on Firefox ESR 140.10. This keeps the network layer patched against known exploits while maintaining the strict fingerprinting protections that make Tails useful for journalists and activists. Thunderbird also receives a routine bump to 140.9.1, bringing standard security fixes to email handling without introducing any major interface changes. The update process handles these package upgrades cleanly, though users should expect the usual few minutes of background compilation when running the live system on slower hardware or older virtual machines.
Fixing Root Directory Permissions in Tails 7.7
A long standing oversight allowed the root folder to remain world readable across the entire live environment. The release corrects this by tightening access controls so only the actual root user can view those files. Leaving system directories open to everyone creates unnecessary exposure if someone gains physical access to an unattended machine or runs a script that scans for sensitive paths. It is not exactly a sophisticated attack vector, but it completely undermines basic threat models in shared workspaces. The fix aligns with standard Linux security practices and removes a trivially exploitable gap.
Background Improvements That Keep the System Stable
Behind the scenes, the release process gets tighter with better handling of Debian package pinning to prevent accidental upgrades to unpatched versions. The test suite also receives adjustments to run fragile checks more reliably and fix cleanup issues when automated processes exit unexpectedly. Support for exFAT in the initramfs finally allows kexec based bootloaders to locate the ISO file on modern flash drives, which solves a recurring headache for people who format their USB sticks with default Windows tools. Flatpak gets updated to 1.16.6 as well, keeping sandboxed applications running smoothly without breaking compatibility with older host systems.
The update rolls out quietly but covers enough ground to keep the operating system usable on aging hardware and modern UEFI boards alike. Verify the checksums before flashing anything to a drive and let the new certificate warnings guide any necessary firmware updates.
