[HN Gopher] Security Vulnerability in Tor Browser ___________________________________________________________________ Security Vulnerability in Tor Browser Author : Vladimof Score : 137 points Date : 2022-05-25 20:01 UTC (2 hours ago) (HTM) web link (darknetlive.com) (TXT) w3m dump (darknetlive.com) | tptacek wrote: | A reminder that Tor Browser might be one of the least safe | browsers you can run: it's a fork of Firefox, meaning that its | maintainers have to coordinate and port patches from the mainline | project. Firefox is already not one of the most hardened browser | engines. Meanwhile, the fork you'll be running is specifically | designed to hide sensitive traffic, and collapses all those users | into a single version for exploits to target. | | I'm ambivalent about Tor, but if you're using Tor, don't use the | Browser Bundle. | mikojan wrote: | jerheinze wrote: | This is deeply misleading and based on old data. | | > A reminder that Tor Browser might be one of the least safe | browsers you can run: it's a fork of Firefox, meaning that its | maintainers have to coordinate and port patches from the | mainline project. | | Tor Browser ships updates as soon as new ESR versions come out. | | > Firefox is already not one of the most hardened browser | engines. | | That might've been true in the past, it's hard to argue for it | now. | | > Meanwhile, the fork you'll be running is specifically | designed to hide sensitive traffic, and collapses all those | users into a single version for exploits to target. | | The overwhelming majority of exit traffic now is using HTTPS | and Tor Browser ships with HTTPS Everywhere to avoid SSL | Striping attacks (in fact the next version of the Tor Browser | will have the HTTPS-Only mode enabled by default, it's already | being tested in the alpha release), so how will those evil exit | node burn those exploits? | | > I'm ambivalent about Tor, but if you're using Tor, don't use | the Browser Bundle. | | First off, the "Tor Browser Bundle" is a deprecated name. If | you're not using the Tor Browser you're making yourself both | insecure (it ships with a smaller attack surface, no WebGL for | example) and fingerprintable defeating thus the full privacy | advantages of the Tor Browser. There is simply no other | alternative. | | You can read the Tor Browser design documentation (though old) | to get a rough sketch of what it's trying--and what it's not | trying--to achieve: | https://2019.www.torproject.org/projects/torbrowser/design/ | | Further reading in case you think VPNs are the solution: | https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-browse... | criticaltinker wrote: | FYI I'm seeing a 404 from that last link. | | Is this the intended link? | | https://matt.traudt.xyz/posts/2019-10-17-you-want-tor- | browse... | jerheinze wrote: | Thanks, corrected. | [deleted] | Vladimof wrote: | > I'm ambivalent about Tor, but if you're using Tor, don't use | the Browser Bundle. | | What do you suggest? | urda wrote: | > Firefox is already not one of the most hardened browser | engines | | Citations and sources for this claim? | symlinkk wrote: | https://zerodium.com/images/zerodium_prices.png | jandrese wrote: | Isn't this taking demand into account? Exploits for Chrome | are worth more because more people want them. | alduin32 wrote: | This chart does not support the referred claim at all. | Payouts are not only linked to the browser's hardening, but | also to the amount of affected users. Given Firefox's | engine low market share, it's not very surprising that | payouts for its vulnerabilities is lower than for Chrome. | urda wrote: | That's not a reliable source or claim to support the | argument claimed here. That's more aligned with market | demand, and whatever that company wants to pay out. | gkbrk wrote: | Firefox, Safari and Edge being in the same price bracket | and less than Google Chrome is not related to their | relative security, but their marketshare being a lot less. | toolz wrote: | using just this image it would imply chrome was the least | secure browser, but I'm not sure I can really infer much at | all from this image other than bugs have been found in all | browsers. | | Was this intended on showing firefox is the least hardened | browser somehow? | comboy wrote: | tar RCE, linux & macos LPE valued less than adobe | pdf/cpanel? Interesting. | | If you look at number of CVEs[1] Chrome is above Firefox, | but I admit that especially given the market share that | doesn't say much. I wish they had some score weighted rank. | | 1. https://www.cvedetails.com/top-50-products.php?year=2022 | jraby3 wrote: | What about the Brave browser in a private window? That used Tor | but theoretically also has some added protection because of the | browser. I'd love to hear your thoughts. | lucb1e wrote: | Can't tell why this was downvoted, it sounds like a | legitimate question and on-topic given that this is an | alternative to the TBB which GP was recommending to avoid. | encryptluks2 wrote: | Anything with JavaScript leaks. You can fingerprint a | computer just based on Canvas. | [deleted] | lucb1e wrote: | https://en.wikipedia.org/wiki/Canvas_fingerprinting#Mitigat | i... | | > Tor Browser notifies the user of canvas read attempts and | provides the option to return blank image data to prevent | fingerprinting. | | > Canvas Defender, a browser add-on, spoofs Canvas | fingerprints. | | > The LibreWolf browser project includes technology to | block access to the HTML5 canvas by default | | It doesn't seem to be the case that anything with | javascript must leak canvas fingerprints. | | Are you saying that Brave is unsafe because it has JS like | every other browser on the planet or because it doesn't | resist canvas fingerprinting specifically? | gzer0 wrote: | Brave browser has a notoriously bad history with their tor | implementation. Would not trust [1]. | | _Brave's Tor mode, introduced in 2018, was sending requests | for .onion domains to DNS resolvers, rather than private Tor | nodes. A DNS resolver is a server that converts domain names | into IP addresses. This means the .onion sites people | searched for, with the understanding those searches would be | private, were not. In fact, they could be observed by | centralized internet service providers (ISPs)._ | | [1] https://www.coindesk.com/tech/2021/02/22/brave-browser- | was-e... | ziddoap wrote: | Or don't use JS, which has long been a best practice with Tor. | | > _The Safest security level of Tor Browser is not affected | because JavaScript is disabled at this security level._ | RL_Quine wrote: | Lets be real, you need to be using JavaScript for the | internet to be functional, even within Tor. Anybody claiming | they regularly use the internet with JS disabled is just | lying for some sort of feel of superiority. | nonrandomstring wrote: | > Lets be real, you need to be using JavaScript for the | internet to be functional, | | Nonsense. I use w3m for browsing and much more than 90 | percent of the web works fine. Fully 100 percemt of "the | internet" works fine, because that has nothing to do with | JavaScript. Please stop over-dramatising and | catastrophising as a way to throw cold water on what is a | very good security practice. More than one medium security | environment I've worked in recently don't allow js | (although admittedly the sites we are allowed to access | from there are limited). | sbf501 wrote: | Wow, talk about proving the parent's point. | | I just read the top 100 website list and went to some of | the top 20, like Yahoo, YouTube, Twitter, Instagram, | Amazon, and Live.com (Microsoft). | | YouTube, Twitter and Instagram don't work at all. | Live.com wouldn't let me log in without JS. Amazon worked | until checkout. Yahoo worked until login. | | I think you are incorrect with your "nonsense" judgement, | as this top-10 sampling is pretty sensible. | nonrandomstring wrote: | > YouTube, Twitter and Instagram | | We clearly have very different lifestyles and values. For | me that's the dank basement of the internet, | rndgermandude wrote: | That's perfectly fine. | | It however does not matter for the large majority of | people who use those top 100 or even top 100,000 websites | or even top 1,000,000 websites, and do not have the | education, skill or time to learn about all the | alternatives, if there are even any. It doesn't matter | for the people living under repressive regimes who want | to inform themselves on foreign news sites, access | foreign NGO sites, or even watch things on youtube or | look and/or participate in social media. And so on... | | A large part of the web is not functional without js, and | just because you chose to not use that part of the web | (much) doesn't invalidate that point. | | So I'd politely suggest you may tone it down a little | when it comes to calling "nonsense". | sbf501 wrote: | Baloo wrote: | There are alternatives that will work without JS though.. | obviously the majority of people use it by default, but | if you don't want to have it enabled there is plenty of | other options. | ewzimm wrote: | If I told you I don't listen to the Billboard top 100 | songs, would you say "nonsense, you don't listen to | music?" | | I also prefer w3m and find most of the web much better as | text only, switching over to another browser when I want | video or some other JS feature. Or I can use something | like youtube-dl to fetch a video. And there's much more | out there than the top 100 websites. | sbf501 wrote: | > If I told you I don't listen to the Billboard top 100 | songs, would you say "nonsense, you don't listen to | music?" | | No, but the reponse is more like: I only listen to Indie, | Billboard isn't music. | | The vast majority of internet traffic, e.g., the most | popular sites, mostly require JS. If you only visit | obscure indie-rock sites, then fine, but we're talking | about the masses, not the small niche exceptions. | ewzimm wrote: | It's true that most people will likely stick to the most | popular websites, but how likely are they to use Tor, | especially self-configured outside the Tor browser? I'd | bet the people who would do that are much more likely to | spend more time outside the most popular websites. | capitainenemo wrote: | Hm, this is probably a joke, but I do vast majority of my | browsing without javascript (noscript+umatrix or w3m). It's | especially pleasant on news sites which are crammed with | junk the few times I carelessly open them on the JS-only | profile I reserve for Google's app suite. | sneak wrote: | Ed Snowden said to turn off the fucking scripts. | | So I did. | | Most of the web works fine. | egberts1 wrote: | Pffft. Even JavaScript is now letting script kiddies make | persistent JS things of dubious nature, now that you can | write JS to store files. | tragictrash wrote: | I use brave and browse with JS disabled by default. Some | sites don't work, some do. I regularly decide the info I'm | looking for can be found somewhere else and back out of a | broken site because of it. Some sites I enable and proceed | with. | [deleted] | tlrobinson wrote: | > I use brave and browse with JS disabled by default. | | That's hilarious given the founder of Brave (Brendan | Eich) literally invented JavaScript. | jason0597 wrote: | > Lets be real, you need to be using JavaScript for the | internet to be functional, _even within Tor_ | | That's incorrect, especially the last part. Dark services | work very hard to design their websites to work without JS, | due to these exact vulnerabilities. Nobody on the dark web | trusts JS, _at all_. | ziddoap wrote: | For everyday browsing I use NoScript, and rarely allow JS | to run (I don't have JS right now!). With Tor, JS is | _always_ disabled, 100% of the time. | | Tor is a niche use case, and not running JS is a cost that | comes with the increased anonymity. I'm not using Tor to | watch my "How to cook rice" videos or funny cat videos. | [deleted] | divbzero wrote: | Which major sites still work just fine without JS? Which | ones do you have to avoid? | ziddoap wrote: | I mean, I don't have JS enabled for HN, although I don't | know if you count that as "major". | | But I'm not really keeping track, honestly. If I come | across a website that isn't working with JS, I make the | decision "is this worth allowing JS?". Sometimes the | answer is yes, sometimes it is no. Often it means | enabling the first-party domain to run JS but no others. | | Conveniently, some of the paywalls on various news sites | don't work with JS, but you can still read the article. | So that'd be some of them that arguably work better | without JS. | | I don't use Tor for everyday browsing, only for the times | I need/want it. In those cases, the equation always | equals "no JS" -- that's the reason Im using Tor in the | first place. | | It's a balancing act, as all security always is. | vinni2 wrote: | Most important of all porn doesn't work | mardifoufs wrote: | Actually some DNMs heavily encourage you or even force you | to turn off Javascript before they let you log in/interact | with the website. So while I think that JS is probably | necessary for most of the regular web, that's not really | the case here. It's only true if you use Tor to browse the | clear net, which is probably not recommended anyways. | easrng wrote: | If a hidden service doesn't work without JS it's probably | run by feds. | [deleted] | HideousKojima wrote: | Nonsense. I was hired freelance to create a web forum for | someone who wanted it to run on Tor and making everything | work without JavaScript was the top requirement. The guy | wanted an option to enable JS for those who were willing to | trust it, but it was disabled by default and I designed all | parts of the forum to run without JS. | ihattendorf wrote: | No one said it's possible to design a site without | JavaScript, just that for the vast majority of the | internet, including sites user's rely on, it's unusable | without it enabled. | omoikane wrote: | I regularly browse internet via Lynx, which does not | support JavaScript. A lot of sites appear to be actively | hostile toward Lynx but there are some sites that are very | functional and even enjoyable. | elipsey wrote: | I just thought no js just made the internet work better | sometimes, and now you're telling me I can be smug about it | too? | | Now how much would you pay? :) | schroeding wrote: | True, disabling Javascript and surfing the (mainstream) web | is deep in the no-fun zone, maybe just above "using Lynx as | a day-to-day browser". :D | | But what one could do is somewhat reduce the risk by only | running JavaScript from the actual domain and it's | subdomains by default, with something like uMatrix[1]. Most | sites are already useable that way, and it's often obvious | (to most people on this site) what domains have to be | whitelisted to make it fully functual if they aren't. Or | actually whitelist the domain for every website on the | first visit. Tedious, but you only need to do it once per | site. | | Doing so at least protects a bit against malicious iframes | or injected scripts from 3rd party domains, doesn't it? :) | | [1] https://addons.mozilla.org/de/firefox/addon/umatrix/ | btdmaster wrote: | uBlock Origin allows most of those things when it's opted | in: https://github.com/gorhill/uBlock/wiki/Dynamic- | filtering | account-5 wrote: | Is uMatrix being maintained again? | potatototoo99 wrote: | You say that on a website where you don't need JavaScript | either. | kube-system wrote: | Rumor is that there are dozens of websites that work | without JavaScript. | jiripospisil wrote: | Isn't it based on Firefox ESR, the Mozilla maintained version | of Firefox with slower feature updates? | fsflover wrote: | Or use Whonix on Qubes OS, relying on hardware virtualization | to protect you. | mrtesthah wrote: | The more unique your browser (i.e., the more you deviate from | the Tor Browser based on Firefox ESR), the more unique and | therefore fingerprintable you are. | RL_Quine wrote: | The Tor browser is 100% unique, it makes no attempt to | pretend to be anything other than itself. Your anonymity set | is other Tor users, not other Firefox users. | jandrese wrote: | The fact that they can detect that you're using the TOR | browser configuration isn't that shocking when they also | see that you are coming out of a TOR exit node, or the site | you are loading is an Onion site. The anonymity comes from | looking like every other person who downloaded Tails. | RL_Quine wrote: | Yes. | mrtesthah wrote: | This doesn't contradict anything I said. If you believe you | are contradicting what I said, perhaps you could rephrase | what you thought my comment was communicating. Otherwise, I | will interpret the intent of your reply as adding | supporting details. | cheeze wrote: | I've always assumed that Tor was a top target for 3 letter | agencies. In that sense, there is so much attention on it that | it's kinda pointless. | smm11 wrote: | Where did Tor come from, again? | lucb1e wrote: | "Comments should get more thoughtful and substantive, not | less, as a topic gets more divisive." | https://news.ycombinator.com/newsguidelines.html (Not sure | a rhetorical question to make some vague accusation counts | as a substantive comment) | ziddoap wrote: | It's not a "vague accusation", onion routing was | developed by the US Naval Research Academy ("NRL", a 3 | letter government agency). | | See https://en.wikipedia.org/wiki/Tor_(network)#History | for more detail. | lucb1e wrote: | The vague accusation is that because "onion routing"[1] | has roots in the military, it must have a backdoor that | we haven't uncovered in decades. If the person had posted | this Wikipedia link with the info you mentioned, for | example, I wouldn't have thought it unsubstantial per the | guidelines (even if the claim/accusation itself is | unsubstantiated by the evidence, that's a difference of | opinion and not a guidelines thing). | | [1] Not the cryptography, not even the code | implementation, but just the general concept: having a | message packed in several layers of encryption such that | intermediate routers don't know the contents. | https://en.wikipedia.org/wiki/Onion_routing | jakear wrote: | Created by the US Navy and currently majorly funded by the | US Department of State, for those unaware. | tialaramex wrote: | For any such agency, a handful of Tor nodes gives your own | agents a useful secure channel. An _overwhelming majority_ of | nodes would give you good insight into what other users are | doing, but it 's very hard to get such a majority since of | course all your competitors think the same. Putting in place | a handful of nodes to benefit your own agents is very | possible, so that's what you do. | stefan_ wrote: | They also still enable JavaScript by default, which is time and | time again the source of these vulnerabilities. | jerheinze wrote: | This has been eloquently addressed by Tor veteran Mike | Perry:[1] | | Concerns about Javascript are rooted in two avenues: | | 1. Fingerprinting concerns. | | 2. Zero-day exploits against Firefox. | | The reason we feel that leaving Javascript enabled trumps | these concerns is: | | 1. We want enough people to actually use Tor Browser such | that it becomes less interesting that you're a Tor user. We | have plenty of academic research and mathematical proofs that | tell us quite clearly that the more people use Tor, the | better the privacy, anonymity, and traffic analysis | resistance properties will become. | | In fact, my personal goal is to grab the entire "Do Not | Track" userbase from Mozilla. That userbase is probably well | in excess of 12.5 million people: | http://www.techworld.com.au/article/400248/ | | I do _not_ believe we can capture that userbase if we ship a | JS-disabled-by-default browser. | | 2. Exploitable vulnerabilities can be anywhere in the | browser, not just in the JS interpreter. We disable and/or | click-to-play the known major vectors, but the best solutions | here are providing bug bounties (Mozilla does this; we should | too, if we had any money) and sandboxing systems (Seatbelt, | AppArmor, SELinux). | | [1] : https://lists.torproject.org/pipermail/tor- | talk/2012-May/024... | _wldu wrote: | I no longer use Tor either (unless I have to for work projects | such as remote pentesting). | | What is you opinion of Landlock (Linux kernel 5.13 and newer)? | If we wrap vanilla FireFox in LandLock, proxy that to tor and | use Apparmor/Tomoyo to further limit what FireFox could do | (when it gets compromised) then I think that would be a much | safer approach than using the Tor Browser Bundle. | | Here's a landlock wrapper (in Go) for FireFox: | https://github.com/62726164/misc/blob/main/go/landlock/firef... | | Also, I've only ever been able to get Tomoyo to work as MAC for | FireFox. SELinux and Apparmor were too difficult. | rebelwebmaster wrote: | These are just the pwn2own vulnerabilities. Nowhere did Mozilla | ever say they were being exploited in the wild. | [deleted] | mmastrac wrote: | Perhaps they moved fast: | | "Mozilla is aware of websites exploiting this vulnerability | already." ___________________________________________________________________ (page generated 2022-05-25 23:00 UTC)