
Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale - Jerry2
https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95#.gdy1zklnp
======
FiloSottile
This piece is charged with the personal bias of the author
([https://twitter.com/movrcx](https://twitter.com/movrcx)) who launched an
hostile fork of the Tor Browser Bundle because "untrustworthyness".

I recommend you read this instead, which provides a more level-headed and
technically correct analysis of the vulnerability (which was there, even if
not properly in the terms described by OP):

[https://hackernoon.com/postmortem-of-the-firefox-and-tor-
cer...](https://hackernoon.com/postmortem-of-the-firefox-and-tor-certificate-
pinning-vulnerability-rabbit-hole-bd507c1403b4#.5131vw39b)

~~~
nzp
Oh but not just any kind of “untrusworthyness”, from what I gathered from
Twitter at the time, he did it after the Appelbaum affair broke out to provide
a “non-SJW” fork of Tor Browser. And If I'm not mistaken, he initially forked
the wrong repo, it was a running joke for a couple of days... Nice to see the
farce still going strong.

EDIT: s/Tor/Tor Browser/

~~~
petertodd
Actually, people thought he forked the wrong repo because he forked the
browser, not the Tor node repo... and then he finds this bug in the browser.

I suspect that wasn't planned, but regardless, he did fork the "right" repo.

~~~
nzp
Ah, right, thanks. But, this thread got me thinking yesterday — if TP is
untrustworthy, shouldn't he have forked node code? What use is what I
understand is just a Firefox with locked down security related settings and
set up to proxy through Tor? So in that sense he did fork the wrong code, and
the TP people were right.

~~~
petertodd
Well, one explanation is that he thinks the threat model is such that a more
likely risk is RCEs into the browser; if Tor directory authorities are doing
untrustworthy things that can probably be more easily detected than deliberate
exploits.

It's also a very pragmatic plan: rebooting the whole Tor relay/exit node
community is going to be a long term project without clear gains in the end;
if your replacement looks like Tor in that you continue to invite volunteers
to run nodes if the previous set of nodes are compromised what prevents those
nodes from joining your network too? Arguably better to focus on forking what
you can fix, which is apparently the browser.

But that's all a charitable explanation: the less charitable explanation was
he forked the browser because that's where the Tor branding is... Fork the
relay codebase and you can't take pretty screenshots of your new fork.

------
lucastx
From /r/TOR:

"Old news. This was fixed in 6.0.5.

[https://blog.torproject.org/blog/tor-
browser-605-released](https://blog.torproject.org/blog/tor-
browser-605-released)

Interesting note: The author is part of the rotor browser fork that is going
no where so far. Doesn't look like the reported issue has been fixed there. In
fact, no commits since before this blog post."

[https://www.reddit.com/r/TOR/comments/53u1cd/tor_browser_exp...](https://www.reddit.com/r/TOR/comments/53u1cd/tor_browser_exposed_antiprivacy_implantation_at/d7w7n8t)

~~~
4ad
> Old news. This was fixed in 6.0.5.

6.0.5 was released _five_ days ago. There is no universe where this qualifies
as old news.

------
Mizza
Tor is not, nor has it ever been, trustworthy. Hell, you can still try active
deanonymization for youself:
[https://github.com/Miserlou/Detour](https://github.com/Miserlou/Detour)

This didn't used to be a problem, as it was essentially run as a sandbox
project for the academic anonymity community. It was very up front about its
capabilities and limitations.

Unfortunately, in recent years, the US government has been bankrolling more
"privacy" software development through its propaganda arms (OTF, RFA, etc.),
and the Snowden revelations have led private foundations to follow suit.

As such, the organization doubled down on rebranding to be a "human rights"
_tool_, as this is what grant giving organizations love to promote (free
speech in Iran, activist publishing, etc.) This combined with a overly-
enthusiastic do-gooders gaining more and more prominence in the Tor
organization has led to the dangerous situation of promoting inherently
insecure software as a security solution to vulnerable people. This is a
general problem in the scene (remember when those activists in South America
got vanned for using CryptoCat?) - and one that I've been guilty of myself in
the past.

I really hope the new boards steers them back to the academic realm and slaps
a big red USE AT YOUR OWN RISK warning on the tin. Unfortunately, I think the
opposite will happen.

~~~
nickbail3y
I'm not sure where this narrative is coming from. TOR was developed as an
anonymous network by the US Naval Research Lab. It was designed for use by
military and intelligence. TOR was never just some academic experiment.

TOR is still a valid tool. No, it wasn't designed to foil NSA level
surveillance, because it was built by the US. But this vulnerability isn't
even related to TOR, it has to do with the TOR Browser.

The Snowden leaks contain slides where the NSA clearly laments the use of TOR,
so saying that it never has been trustworthy is simply not true.

~~~
Mizza
It was "designed" for military use in the sense they were computer scientists
working for the Naval research, but the community felt like an academic one.
For instance, it was originally published at USENIX. The majority of
discussion of Tor was related to papers on Anonbib, not about code itself. TBB
didn't even exist until much later. I've never seen any evidence that it was
ever used "in production" by the military before it was made public.

Re: The NSA Tor slides - they're really not as damning as you say -
[http://i.imgur.com/cnOeVQf.png](http://i.imgur.com/cnOeVQf.png) \- and
they're also made before the FBI was caught using remote code execution
exploits against Tor users.

~~~
nickbail3y
> but the community felt like an academic one

How do you know what the development environment 'felt' like? Are you Roger
Dingledine or Nick Mathewson?

And I doubt that you will find any evidence that it was used before being made
public. Using TOR before it was public would be like screaming, "HEY I'M
HIDING SOMETHING! AND I'M US MILITARY OR INTELLIGENCE!". The whole point of
releasing it was to gather a userbase. Otherwise, TOR wouldn't be very
anonymous at all.

~~~
Mizza
I was working on a related anonymity project at the same time, funded by the
same grant giving organization. I lurked and participated, I have met RD and
NM IRL, and I have been a hidden service operator for many years. That being
said, I am only at the far periphery of the project. But, I have been out here
for a while and I stand by my original statement.

~~~
nickbail3y
Well despite our differences in opinion, I respect your contribution to
anonymity and privacy. And I'm a bit envious that you've met RD and NM.

~~~
petertodd
They're just normal guys, who are quite approachable - go to the right
conferences and you'll meet them.

------
necessity
Yet again, TOR gets blamed for a Firefox vulnerability. Surprise, surprise...

~~~
mtgx
The fact that Mozilla is so slow in implementing real per-process sandboxing
in Firefox and that it doesn't even plan to rewrite most of the browser in
Rust over the next few years, makes me think that maybe Tor should just bite
the bullet and rebuild on top of Chromium, while vigilantly watching out for
anti-privacy features in it that they can remove.

~~~
indolering
They can't use Chromium because the Chrome team refuses to maintain certain
features required by Tor, such as routing all traffic through the SOCKS proxy
[0]. They would have to literally create a new browser.

0:
[https://bugs.chromium.org/p/chromium/issues/detail?id=80722#...](https://bugs.chromium.org/p/chromium/issues/detail?id=80722#c33)

~~~
nilved
They're targeting the wrong level of abstraction. I think people should use
Whonix or Tails instead of Tor Browser.

~~~
tribby
>I think people should use Whonix or Tails instead of Tor Browser.

I'm not sure I follow. Tor Browser is the default browser of both operating
systems.

~~~
haser_au
Whonix and Tails are OSes, meaning they could override what the browser tries
to do in terms of network access. If Chromium prevents a plugin from directing
all traffic to SOCKS, just take controls of Chromium's network settings from
the underlying OS (Whonix, Tails).

Note: This just answers the question about browsers or other pieces of
software that don't allow control of their network components. It doesn't
address a vulnerability in that software.

------
willvarfar
The same MitM update attack can be leveled against all Firefox users, and not
just Tor browser users?

~~~
necessity
Yes, but being the man in the middle is much easier when the target willingly
places you in the middle of his connection...

The whole situation can be worked around by using a custom prefs.js that
disables auto updating addons (there are various other attacks that can be
prevented by tweaking settings in about:config such as the webrtc related
ones) and there are various websites providing privacy oriented prefs.js. A
better workaround would be for the TOR browser maintainers to ship such a file
with it, and a solution would of course be Mozilla fix things on their side.

------
nixos
Using Tor may actually be less secure that using a normal browser.

At least when I connect to Microsoft, Google, Facebook, etc. I don't expect to
get hit by a driveby JS exploit, and Google does help with "safe browsing".

With Tor, you're one HTTP website (or not HSTS website) away from a driveby
virus, with no way to tell that you're connecting to a dangerous exit node

~~~
tedks
Tor Project runs several scanners for this behavior. Arguably, unless your
ISP, ISP's ISP, coffee shop, etc., are all 100% on top of their game, this
could happen in any one of those environments too.

~~~
nixos
So they shut down a node, the node operator notices and restarts it.

The problem is that people actually make money from malware. It's not bored
college kids showing off skills. It's pros.

So think like a pro. You use a zero day to hack into Verizon to feed malware,
get noticed, and your hack gets reversed after an hour.

You open an exit Tor node on a VPS, use it to feed malware, profit. They close
it, you re-open it on another host. They play wack-a-mole, and you rake it in.

~~~
tedks
The thing is that it takes a significant amount of time and bandwidth to get
flagged as an exit and included on circuits. So your set of hosts is going to
be pretty limited to start; most hosts are pretty hostile to Tor exits as it
is, and are going to shut down an exit hosted in their IP space because they
don't want to deal with the abuse complaints. In contrast, the exit scanner
can be part of the first users of an exit node. You could try to detect the
scanner, but the nature of Tor is that this isn't feasible.

In any case, you can solve the problem of distributing software over Tor by
setting up a hidden service. The Tor devs have been making noise for a while
about creating an "onion service" that isn't hidden, but has the same
guarantees as a hidden service (an improved version of exit enclaving).

------
mdadm
>The entire security of the Tor Browser ecosystem relies on the integrity of a
single TLS certificate that has already been previously compromised.

Seriously? That seems like a really weird - to say the least - decision to
make about something this important...

~~~
throwanem
It's the certificate used to sign TLS for addons.mozilla.org. Since "Tor
Browser" is a lightly modified Firefox that hasn't had its automatic addon
update checking disabled, and Mozilla's addon signing process is an automated
rubber stamp, that's a problem.

To be clear, I don't think it's so much a problem on Mozilla's part; perhaps
manual review would be a good idea, but I doubt they have the resources. The
problem here is that Tor Browser has claims made for it that aren't supported
by the amount of work that's actually gone into making it secure. That would
appear to be entirely on the people who run the Tor foundation, or whatever
nonprofit structure it is that they use.

------
rnhmjoj
Is it really so easy to control a significant portion of tor exit nodes? I
seem to remember there are automatic systems and members of the project
checking for suspiscious nodes.

~~~
nilved
Yes, it's happened at least once before with Carnegie Mellon.

------
nijiko
> Using Tor

This is the joke right?

