[HN Gopher] Security Vulnerability in Tor Browser
___________________________________________________________________
Security Vulnerability in Tor Browser
Author : Vladimof
Score : 137 points
Date : 2022-05-25 20:01 UTC (2 hours ago)
(HTM) web link (darknetlive.com)
(TXT) w3m dump (darknetlive.com)
| tptacek wrote:
| A reminder that Tor Browser might be one of the least safe
| browsers you can run: it's a fork of Firefox, meaning that its
| maintainers have to coordinate and port patches from the mainline
| project. Firefox is already not one of the most hardened browser
| engines. Meanwhile, the fork you'll be running is specifically
| designed to hide sensitive traffic, and collapses all those users
| into a single version for exploits to target.
|
| I'm ambivalent about Tor, but if you're using Tor, don't use the
| Browser Bundle.
| mikojan wrote:
| jerheinze wrote:
| This is deeply misleading and based on old data.
|
| > A reminder that Tor Browser might be one of the least safe
| browsers you can run: it's a fork of Firefox, meaning that its
| maintainers have to coordinate and port patches from the
| mainline project.
|
| Tor Browser ships updates as soon as new ESR versions come out.
|
| > Firefox is already not one of the most hardened browser
| engines.
|
| That might've been true in the past, it's hard to argue for it
| now.
|
| > Meanwhile, the fork you'll be running is specifically
| designed to hide sensitive traffic, and collapses all those
| users into a single version for exploits to target.
|
| The overwhelming majority of exit traffic now is using HTTPS
| and Tor Browser ships with HTTPS Everywhere to avoid SSL
| Striping attacks (in fact the next version of the Tor Browser
| will have the HTTPS-Only mode enabled by default, it's already
| being tested in the alpha release), so how will those evil exit
| node burn those exploits?
|
| > I'm ambivalent about Tor, but if you're using Tor, don't use
| the Browser Bundle.
|
| First off, the "Tor Browser Bundle" is a deprecated name. If
| you're not using the Tor Browser you're making yourself both
| insecure (it ships with a smaller attack surface, no WebGL for
| example) and fingerprintable defeating thus the full privacy
| advantages of the Tor Browser. There is simply no other
| alternative.
|
| You can read the Tor Browser design documentation (though old)
| to get a rough sketch of what it's trying--and what it's not
| trying--to achieve:
| https://2019.www.torproject.org/projects/torbrowser/design/
|
| Further reading in case you think VPNs are the solution:
| https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-browse...
| criticaltinker wrote:
| FYI I'm seeing a 404 from that last link.
|
| Is this the intended link?
|
| https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-
| browse...
| jerheinze wrote:
| Thanks, corrected.
| [deleted]
| Vladimof wrote:
| > I'm ambivalent about Tor, but if you're using Tor, don't use
| the Browser Bundle.
|
| What do you suggest?
| urda wrote:
| > Firefox is already not one of the most hardened browser
| engines
|
| Citations and sources for this claim?
| symlinkk wrote:
| https://zerodium.com/images/zerodium_prices.png
| jandrese wrote:
| Isn't this taking demand into account? Exploits for Chrome
| are worth more because more people want them.
| alduin32 wrote:
| This chart does not support the referred claim at all.
| Payouts are not only linked to the browser's hardening, but
| also to the amount of affected users. Given Firefox's
| engine low market share, it's not very surprising that
| payouts for its vulnerabilities is lower than for Chrome.
| urda wrote:
| That's not a reliable source or claim to support the
| argument claimed here. That's more aligned with market
| demand, and whatever that company wants to pay out.
| gkbrk wrote:
| Firefox, Safari and Edge being in the same price bracket
| and less than Google Chrome is not related to their
| relative security, but their marketshare being a lot less.
| toolz wrote:
| using just this image it would imply chrome was the least
| secure browser, but I'm not sure I can really infer much at
| all from this image other than bugs have been found in all
| browsers.
|
| Was this intended on showing firefox is the least hardened
| browser somehow?
| comboy wrote:
| tar RCE, linux & macos LPE valued less than adobe
| pdf/cpanel? Interesting.
|
| If you look at number of CVEs[1] Chrome is above Firefox,
| but I admit that especially given the market share that
| doesn't say much. I wish they had some score weighted rank.
|
| 1. https://www.cvedetails.com/top-50-products.php?year=2022
| jraby3 wrote:
| What about the Brave browser in a private window? That used Tor
| but theoretically also has some added protection because of the
| browser. I'd love to hear your thoughts.
| lucb1e wrote:
| Can't tell why this was downvoted, it sounds like a
| legitimate question and on-topic given that this is an
| alternative to the TBB which GP was recommending to avoid.
| encryptluks2 wrote:
| Anything with JavaScript leaks. You can fingerprint a
| computer just based on Canvas.
| [deleted]
| lucb1e wrote:
| https://en.wikipedia.org/wiki/Canvas_fingerprinting#Mitigat
| i...
|
| > Tor Browser notifies the user of canvas read attempts and
| provides the option to return blank image data to prevent
| fingerprinting.
|
| > Canvas Defender, a browser add-on, spoofs Canvas
| fingerprints.
|
| > The LibreWolf browser project includes technology to
| block access to the HTML5 canvas by default
|
| It doesn't seem to be the case that anything with
| javascript must leak canvas fingerprints.
|
| Are you saying that Brave is unsafe because it has JS like
| every other browser on the planet or because it doesn't
| resist canvas fingerprinting specifically?
| gzer0 wrote:
| Brave browser has a notoriously bad history with their tor
| implementation. Would not trust [1].
|
| _Brave's Tor mode, introduced in 2018, was sending requests
| for .onion domains to DNS resolvers, rather than private Tor
| nodes. A DNS resolver is a server that converts domain names
| into IP addresses. This means the .onion sites people
| searched for, with the understanding those searches would be
| private, were not. In fact, they could be observed by
| centralized internet service providers (ISPs)._
|
| [1] https://www.coindesk.com/tech/2021/02/22/brave-browser-
| was-e...
| ziddoap wrote:
| Or don't use JS, which has long been a best practice with Tor.
|
| > _The Safest security level of Tor Browser is not affected
| because JavaScript is disabled at this security level._
| RL_Quine wrote:
| Lets be real, you need to be using JavaScript for the
| internet to be functional, even within Tor. Anybody claiming
| they regularly use the internet with JS disabled is just
| lying for some sort of feel of superiority.
| nonrandomstring wrote:
| > Lets be real, you need to be using JavaScript for the
| internet to be functional,
|
| Nonsense. I use w3m for browsing and much more than 90
| percent of the web works fine. Fully 100 percemt of "the
| internet" works fine, because that has nothing to do with
| JavaScript. Please stop over-dramatising and
| catastrophising as a way to throw cold water on what is a
| very good security practice. More than one medium security
| environment I've worked in recently don't allow js
| (although admittedly the sites we are allowed to access
| from there are limited).
| sbf501 wrote:
| Wow, talk about proving the parent's point.
|
| I just read the top 100 website list and went to some of
| the top 20, like Yahoo, YouTube, Twitter, Instagram,
| Amazon, and Live.com (Microsoft).
|
| YouTube, Twitter and Instagram don't work at all.
| Live.com wouldn't let me log in without JS. Amazon worked
| until checkout. Yahoo worked until login.
|
| I think you are incorrect with your "nonsense" judgement,
| as this top-10 sampling is pretty sensible.
| nonrandomstring wrote:
| > YouTube, Twitter and Instagram
|
| We clearly have very different lifestyles and values. For
| me that's the dank basement of the internet,
| rndgermandude wrote:
| That's perfectly fine.
|
| It however does not matter for the large majority of
| people who use those top 100 or even top 100,000 websites
| or even top 1,000,000 websites, and do not have the
| education, skill or time to learn about all the
| alternatives, if there are even any. It doesn't matter
| for the people living under repressive regimes who want
| to inform themselves on foreign news sites, access
| foreign NGO sites, or even watch things on youtube or
| look and/or participate in social media. And so on...
|
| A large part of the web is not functional without js, and
| just because you chose to not use that part of the web
| (much) doesn't invalidate that point.
|
| So I'd politely suggest you may tone it down a little
| when it comes to calling "nonsense".
| sbf501 wrote:
| Baloo wrote:
| There are alternatives that will work without JS though..
| obviously the majority of people use it by default, but
| if you don't want to have it enabled there is plenty of
| other options.
| ewzimm wrote:
| If I told you I don't listen to the Billboard top 100
| songs, would you say "nonsense, you don't listen to
| music?"
|
| I also prefer w3m and find most of the web much better as
| text only, switching over to another browser when I want
| video or some other JS feature. Or I can use something
| like youtube-dl to fetch a video. And there's much more
| out there than the top 100 websites.
| sbf501 wrote:
| > If I told you I don't listen to the Billboard top 100
| songs, would you say "nonsense, you don't listen to
| music?"
|
| No, but the reponse is more like: I only listen to Indie,
| Billboard isn't music.
|
| The vast majority of internet traffic, e.g., the most
| popular sites, mostly require JS. If you only visit
| obscure indie-rock sites, then fine, but we're talking
| about the masses, not the small niche exceptions.
| ewzimm wrote:
| It's true that most people will likely stick to the most
| popular websites, but how likely are they to use Tor,
| especially self-configured outside the Tor browser? I'd
| bet the people who would do that are much more likely to
| spend more time outside the most popular websites.
| capitainenemo wrote:
| Hm, this is probably a joke, but I do vast majority of my
| browsing without javascript (noscript+umatrix or w3m). It's
| especially pleasant on news sites which are crammed with
| junk the few times I carelessly open them on the JS-only
| profile I reserve for Google's app suite.
| sneak wrote:
| Ed Snowden said to turn off the fucking scripts.
|
| So I did.
|
| Most of the web works fine.
| egberts1 wrote:
| Pffft. Even JavaScript is now letting script kiddies make
| persistent JS things of dubious nature, now that you can
| write JS to store files.
| tragictrash wrote:
| I use brave and browse with JS disabled by default. Some
| sites don't work, some do. I regularly decide the info I'm
| looking for can be found somewhere else and back out of a
| broken site because of it. Some sites I enable and proceed
| with.
| [deleted]
| tlrobinson wrote:
| > I use brave and browse with JS disabled by default.
|
| That's hilarious given the founder of Brave (Brendan
| Eich) literally invented JavaScript.
| jason0597 wrote:
| > Lets be real, you need to be using JavaScript for the
| internet to be functional, _even within Tor_
|
| That's incorrect, especially the last part. Dark services
| work very hard to design their websites to work without JS,
| due to these exact vulnerabilities. Nobody on the dark web
| trusts JS, _at all_.
| ziddoap wrote:
| For everyday browsing I use NoScript, and rarely allow JS
| to run (I don't have JS right now!). With Tor, JS is
| _always_ disabled, 100% of the time.
|
| Tor is a niche use case, and not running JS is a cost that
| comes with the increased anonymity. I'm not using Tor to
| watch my "How to cook rice" videos or funny cat videos.
| [deleted]
| divbzero wrote:
| Which major sites still work just fine without JS? Which
| ones do you have to avoid?
| ziddoap wrote:
| I mean, I don't have JS enabled for HN, although I don't
| know if you count that as "major".
|
| But I'm not really keeping track, honestly. If I come
| across a website that isn't working with JS, I make the
| decision "is this worth allowing JS?". Sometimes the
| answer is yes, sometimes it is no. Often it means
| enabling the first-party domain to run JS but no others.
|
| Conveniently, some of the paywalls on various news sites
| don't work with JS, but you can still read the article.
| So that'd be some of them that arguably work better
| without JS.
|
| I don't use Tor for everyday browsing, only for the times
| I need/want it. In those cases, the equation always
| equals "no JS" -- that's the reason Im using Tor in the
| first place.
|
| It's a balancing act, as all security always is.
| vinni2 wrote:
| Most important of all porn doesn't work
| mardifoufs wrote:
| Actually some DNMs heavily encourage you or even force you
| to turn off Javascript before they let you log in/interact
| with the website. So while I think that JS is probably
| necessary for most of the regular web, that's not really
| the case here. It's only true if you use Tor to browse the
| clear net, which is probably not recommended anyways.
| easrng wrote:
| If a hidden service doesn't work without JS it's probably
| run by feds.
| [deleted]
| HideousKojima wrote:
| Nonsense. I was hired freelance to create a web forum for
| someone who wanted it to run on Tor and making everything
| work without JavaScript was the top requirement. The guy
| wanted an option to enable JS for those who were willing to
| trust it, but it was disabled by default and I designed all
| parts of the forum to run without JS.
| ihattendorf wrote:
| No one said it's possible to design a site without
| JavaScript, just that for the vast majority of the
| internet, including sites user's rely on, it's unusable
| without it enabled.
| omoikane wrote:
| I regularly browse internet via Lynx, which does not
| support JavaScript. A lot of sites appear to be actively
| hostile toward Lynx but there are some sites that are very
| functional and even enjoyable.
| elipsey wrote:
| I just thought no js just made the internet work better
| sometimes, and now you're telling me I can be smug about it
| too?
|
| Now how much would you pay? :)
| schroeding wrote:
| True, disabling Javascript and surfing the (mainstream) web
| is deep in the no-fun zone, maybe just above "using Lynx as
| a day-to-day browser". :D
|
| But what one could do is somewhat reduce the risk by only
| running JavaScript from the actual domain and it's
| subdomains by default, with something like uMatrix[1]. Most
| sites are already useable that way, and it's often obvious
| (to most people on this site) what domains have to be
| whitelisted to make it fully functual if they aren't. Or
| actually whitelist the domain for every website on the
| first visit. Tedious, but you only need to do it once per
| site.
|
| Doing so at least protects a bit against malicious iframes
| or injected scripts from 3rd party domains, doesn't it? :)
|
| [1] https://addons.mozilla.org/de/firefox/addon/umatrix/
| btdmaster wrote:
| uBlock Origin allows most of those things when it's opted
| in: https://github.com/gorhill/uBlock/wiki/Dynamic-
| filtering
| account-5 wrote:
| Is uMatrix being maintained again?
| potatototoo99 wrote:
| You say that on a website where you don't need JavaScript
| either.
| kube-system wrote:
| Rumor is that there are dozens of websites that work
| without JavaScript.
| jiripospisil wrote:
| Isn't it based on Firefox ESR, the Mozilla maintained version
| of Firefox with slower feature updates?
| fsflover wrote:
| Or use Whonix on Qubes OS, relying on hardware virtualization
| to protect you.
| mrtesthah wrote:
| The more unique your browser (i.e., the more you deviate from
| the Tor Browser based on Firefox ESR), the more unique and
| therefore fingerprintable you are.
| RL_Quine wrote:
| The Tor browser is 100% unique, it makes no attempt to
| pretend to be anything other than itself. Your anonymity set
| is other Tor users, not other Firefox users.
| jandrese wrote:
| The fact that they can detect that you're using the TOR
| browser configuration isn't that shocking when they also
| see that you are coming out of a TOR exit node, or the site
| you are loading is an Onion site. The anonymity comes from
| looking like every other person who downloaded Tails.
| RL_Quine wrote:
| Yes.
| mrtesthah wrote:
| This doesn't contradict anything I said. If you believe you
| are contradicting what I said, perhaps you could rephrase
| what you thought my comment was communicating. Otherwise, I
| will interpret the intent of your reply as adding
| supporting details.
| cheeze wrote:
| I've always assumed that Tor was a top target for 3 letter
| agencies. In that sense, there is so much attention on it that
| it's kinda pointless.
| smm11 wrote:
| Where did Tor come from, again?
| lucb1e wrote:
| "Comments should get more thoughtful and substantive, not
| less, as a topic gets more divisive."
| https://news.ycombinator.com/newsguidelines.html (Not sure
| a rhetorical question to make some vague accusation counts
| as a substantive comment)
| ziddoap wrote:
| It's not a "vague accusation", onion routing was
| developed by the US Naval Research Academy ("NRL", a 3
| letter government agency).
|
| See https://en.wikipedia.org/wiki/Tor_(network)#History
| for more detail.
| lucb1e wrote:
| The vague accusation is that because "onion routing"[1]
| has roots in the military, it must have a backdoor that
| we haven't uncovered in decades. If the person had posted
| this Wikipedia link with the info you mentioned, for
| example, I wouldn't have thought it unsubstantial per the
| guidelines (even if the claim/accusation itself is
| unsubstantiated by the evidence, that's a difference of
| opinion and not a guidelines thing).
|
| [1] Not the cryptography, not even the code
| implementation, but just the general concept: having a
| message packed in several layers of encryption such that
| intermediate routers don't know the contents.
| https://en.wikipedia.org/wiki/Onion_routing
| jakear wrote:
| Created by the US Navy and currently majorly funded by the
| US Department of State, for those unaware.
| tialaramex wrote:
| For any such agency, a handful of Tor nodes gives your own
| agents a useful secure channel. An _overwhelming majority_ of
| nodes would give you good insight into what other users are
| doing, but it 's very hard to get such a majority since of
| course all your competitors think the same. Putting in place
| a handful of nodes to benefit your own agents is very
| possible, so that's what you do.
| stefan_ wrote:
| They also still enable JavaScript by default, which is time and
| time again the source of these vulnerabilities.
| jerheinze wrote:
| This has been eloquently addressed by Tor veteran Mike
| Perry:[1]
|
| Concerns about Javascript are rooted in two avenues:
|
| 1. Fingerprinting concerns.
|
| 2. Zero-day exploits against Firefox.
|
| The reason we feel that leaving Javascript enabled trumps
| these concerns is:
|
| 1. We want enough people to actually use Tor Browser such
| that it becomes less interesting that you're a Tor user. We
| have plenty of academic research and mathematical proofs that
| tell us quite clearly that the more people use Tor, the
| better the privacy, anonymity, and traffic analysis
| resistance properties will become.
|
| In fact, my personal goal is to grab the entire "Do Not
| Track" userbase from Mozilla. That userbase is probably well
| in excess of 12.5 million people:
| http://www.techworld.com.au/article/400248/
|
| I do _not_ believe we can capture that userbase if we ship a
| JS-disabled-by-default browser.
|
| 2. Exploitable vulnerabilities can be anywhere in the
| browser, not just in the JS interpreter. We disable and/or
| click-to-play the known major vectors, but the best solutions
| here are providing bug bounties (Mozilla does this; we should
| too, if we had any money) and sandboxing systems (Seatbelt,
| AppArmor, SELinux).
|
| [1] : https://lists.torproject.org/pipermail/tor-
| talk/2012-May/024...
| _wldu wrote:
| I no longer use Tor either (unless I have to for work projects
| such as remote pentesting).
|
| What is you opinion of Landlock (Linux kernel 5.13 and newer)?
| If we wrap vanilla FireFox in LandLock, proxy that to tor and
| use Apparmor/Tomoyo to further limit what FireFox could do
| (when it gets compromised) then I think that would be a much
| safer approach than using the Tor Browser Bundle.
|
| Here's a landlock wrapper (in Go) for FireFox:
| https://github.com/62726164/misc/blob/main/go/landlock/firef...
|
| Also, I've only ever been able to get Tomoyo to work as MAC for
| FireFox. SELinux and Apparmor were too difficult.
| rebelwebmaster wrote:
| These are just the pwn2own vulnerabilities. Nowhere did Mozilla
| ever say they were being exploited in the wild.
| [deleted]
| mmastrac wrote:
| Perhaps they moved fast:
|
| "Mozilla is aware of websites exploiting this vulnerability
| already."
___________________________________________________________________
(page generated 2022-05-25 23:00 UTC)