Approximately two and a half years ago, Tor (The Onion Router) Web anonymity project announced that was was going to build its own Web browser, to be known as the Tor Browser.
The Tor network provides a way for users to anonymize their online activities by running data packets through a number of “onion routers” that are servers that relay the user traffic but not the original header information (which indicates the user IP address). Prior to the Tor Browser, what many users did (myself included) was to simply use the Tor Button, which was a Firefox add-on that enabled Tor access on top of Firefox.
The Tor people back in 2011 thought that the Tor Button was a less-than-ideal solution and that building their own browser was a better idea. I wrote a blog post in May of 2011 warning of the risks of that approach and that it could lead to ruin.
I was right.
This past week, Tor revealed that unidentified sources (which some reports—that I’ve been unable to independently verify— claim to be from U.S. government agencies) had hacked the Tor network by way of a vulnerability in the Tor Browser. According to the Tor Project, a hidden server network operated by Freedom Hosting was taken offline by the attack.
So how was this attack enabled, and why was I right?
You see, what happened back in 2011 is that Tor “forked” (made its own derivative version of) Firefox. So instead of directly and immediately benefiting from Mozilla’s regular security updates (as they would have with the Tor Button), the Tor developers took it upon themselves to ensure their browser was updated and secured.
As I wrote back in 2011, maintaining a browser in the modern threat era is a non-trivial task. The Mozilla security team is the best of the best because it benefits from both its own expertise and that of its massive community of users. Back to the present: The Tor Browser vulnerability is actually one that Mozilla had already fixed more than six weeks ago. The Tor Browser was based on the Extended Support Release (ESR) version of Firefox currently at version 17.0.8 (the flaw that hit the Tor Browser was fixed in the 17.0.7 release, which came out on June 25 of this year).
So to recap, if the Tor Browser had been just the Tor Button add-on, instead of a separate browser, the same flaw would not have been exploitable—it would have been fixed. Going a step further, if the Tor Browser had an automatic or silent updating system like Firefox does today (Chrome has it too), users would automatically be updated to the latest release.
The lesson here for me is a simple one: Don’t fork your own browser unless you can aggressively track and quickly accept all security patches that came from the upstream original project you were forked from. Doing anything else is leaving you open to unknown risks.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.