Tor Privacy Network Breached: I Told You So

 
 
By Sean Michael Kerner  |  Posted 2013-08-06 Email Print this article Print
 
 
 
 
 
 
 

Approximately two and a half years ago, Tor (The Onion Router) Web anonymity project announced that was was going to build its own Web browser, to be known as the Tor Browser.

The Tor network provides a way for users to anonymize their online activities by running data packets through a number of "onion routers" that are servers that relay the user traffic but not the original header information (which indicates the user IP address). Prior to the Tor Browser, what many users did (myself included) was to simply use the Tor Button, which was a Firefox add-on that enabled Tor access on top of Firefox.

The Tor people back in 2011 thought that the Tor Button was a less-than-ideal solution and that building their own browser was a better idea. I wrote a blog post in May of 2011 warning of the risks of that approach and that it could lead to ruin.

I was right.

This past week, Tor revealed that unidentified sources (which some reports—that I've been unable to independently verify— claim to be from U.S. government agencies) had hacked the Tor network by way of a vulnerability in the Tor Browser. According to the Tor Project, a hidden server network operated by Freedom Hosting was taken offline by the attack.

So how was this attack enabled, and why was I right?

You see, what happened back in 2011 is that Tor "forked" (made its own derivative version of) Firefox. So instead of directly and immediately benefiting from Mozilla's regular security updates (as they would have with the Tor Button), the Tor developers took it upon themselves to ensure their browser was updated and secured.

Bad move.

As I wrote back in 2011, maintaining a browser in the modern threat era is a non-trivial task. The Mozilla security team is the best of the best because it benefits from both its own expertise and that of its massive community of users. Back to the present: The Tor Browser vulnerability is actually one that Mozilla had already fixed more than six weeks ago. The Tor Browser was based on the Extended Support Release (ESR) version of Firefox currently at version 17.0.8 (the flaw that hit the Tor Browser was fixed in the 17.0.7 release, which came out on June 25 of this year).

So to recap, if the Tor Browser had been just the Tor Button add-on, instead of a separate browser, the same flaw would not have been exploitable—it would have been fixed. Going a step further, if the Tor Browser had an automatic or silent updating system like Firefox does today (Chrome has it too), users would automatically be updated to the latest release.

The lesson here for me is a simple one: Don't fork your own browser unless you can aggressively track and quickly accept all security patches that came from the upstream original project you were forked from. Doing anything else is leaving you open to unknown risks.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

 
 
 
 
del.icio.us | digg.com
 
 
 
 
 

16 Comments for "Tor Privacy Network Breached: I Told You So"

  • Qwerty August 08, 2013 4:17 am

    Ah, where to begin. 1. The Tor network was not hacked. A single hosting provider was compromised and used to spread tracking malware through a very targeted vulnerability in the old Windows version of the Tor Browser, and only if the user enabled scripts (which they shouldn't). Saying Tor was hacked because of a single malware-distributing host is completely inaccurate. 2. The Tor browser's security is still handled by Mozilla and the other code contributors. It incorporates security fixes from Firefox's ESR (currently version 17). 3. At the time of the attack, the Tor Project had long since patched the vulnerability. I cannot stress this enough. This vulnerability had already been fixed by the time the attack was sent, on schedule with Mozilla's Firefox ESR. It had been fixed for around a month. 4. Tor Project was right to compile their own secure version. While it may appear similar to you, the Tor Browser is actually very secure compared to some builds of Firefox in the case of Tor usage. Why? Configuration. You should first think of what the users of the alternative option, those who just point their web browser over to the Tor SOCKS port, are actually. They are taking their own browser, usually customized and some with insecure plugins and extensions like the notorious Java and Flash plugins. Browser configurations differ greatly per-user, and browser fingerprinting is a very real attack to identify a user. To protect against this, the Tor Browser is modified to give incorrect or blank information for some nonessential data points. Because they all act more or less the same way, fingerprinting a user of the Tor Browser Bundle is nearly impossible. In contrast, most end users don't even know how to modify Firefox to do that. There are other tweaks to protect against certain attacks, but know this: it would take hours for an end-user to properly configure their version of Firefox so that it is anonymous. Under the hood, the configuration is simply too different. Finally, even old versions of the Tor Browser were only vulnerable if the user was foolish enough to enable scripts. The NoScript plugin shut off the vector for the attack even on old, vulnerable versions. Conclusion: It would be significantly easier to identify a Tor user were they to use and try to configure their own browser manually. There are some significant drawbacks to the Tor Browser Bundle approach (check out TAILS or Whonix for two projects helping the anonymity of Tor users even more), but none of them could be fixed by simply adding the Tor Button to vanilla web browsers.

  • M.J.M August 08, 2013 3:42 am

    Say WHAT!? Say WHAT!? Say WHAT!? Why do people like you post their posts over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and "over" and OVER and "OVER" again!??!!? Do you "REALLY" think that if you repeat yourself 200 figgin' times, it'll get your message across more "effectively!?" That's STUPID! Just say what you got to say ONE TIME!.. Then be DONE with it! Parrots like you irritate the CRAP out of people! Believe me, excessive repetition accomplishes NOTHING! H H H.

  • M.J.M August 08, 2013 3:41 am

    Say WHAT!? Say WHAT!? Say WHAT!? Why do people like you post their posts over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and "over" and OVER and "OVER" again!??!!? Do you "REALLY" think that if you repeat yourself 200 figgin' times, it'll get your message across more "effectively!?" That's STUPID! Just say what you got to say ONE TIME!.. Then be DONE with it! Parrots like you irritate the CRAP out of people! Believe me, excessive repetition accomplishes NOTHING! H H H.

  • wayne August 07, 2013 6:33 pm

    The takeaway should be that if a server can be breached through a flaw in the browser, attackers will use flawed browsers.

  • Edward August 07, 2013 11:07 am

    The Tor Project browser comes configured with specific settings altered to the Firefox ESR defaults, along with NoScript pre-installed. Your article is quite misleading, as is a lot of the news media jumping on this incident and using sensationalism as link bait. Your taunting 'I told you so' only applies in the most vague sense in that it only fits the users who intentionally clicked through the usage of blocked javascripting on their own accord. Tor Project's site clearly warns against this.

Leave a Comment

 
 
Google Ad
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel