
Exploit vendor drops Tor Browser zero-day on Twitter - rauhl
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/
======
motohagiography
The incentives to develop Tor exploits, target Tor users, and the attack
surface of the browser could seem to make using it at all an exercise of poor
judgement.

You basically add some anonymity but change your threat model to include an
extremely high likelihood of injection attacks, and practically provoke every
state level agency to monitor you, where they might have previously ignored
you.

This was the pgp problem in the 90s where you would essentially be sending a
tracer round across the network saying, "hey everyone, these two people are
using encryption!"

Tor is a great effort and it gets people involved in privacy, but onion
routing to exit nodes on the internet has diminishing efficacy, and I think
everyone needs a clearer articulation of what and whose problem it solves.

~~~
kodablah
> onion routing to exit nodes on the internet has diminishing efficacy

How about onion routing to peers? Tor provides a great backbone to do this yet
so few applications employ it. I have ideas of course, but in general, it's
very easy to have a desktop app on your home computer that fires up an onion
service you can access from anywhere including mobile. Why more apps that
don't have high bandwidth requirements don't use it I'll never know.

~~~
adrianN
Tor could be the future protocol of the Internet of Things if big corporations
wouldn't want to sell all your data.

[https://github.com/n8fr8/talks/blob/master/onion_things/Inte...](https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20Onion%20Things.pdf)

~~~
JumpCrisscross
> _Tor could be the future protocol of the Internet of Things if big
> corporations wouldn 't want to sell all your data_

I tried to use the Tor browser. The problem isn't "big corporations" but
speed, latency and my MacBook fans spinning when I try to read the newspaper.

~~~
zrm
Are you sure that last one isn't the newspaper website itself? They're
notorious for that and it would be surprising if you could actually push
enough traffic (maybe ~1Gbps sustained?) through a Tor circuit to max out even
one core on Tor itself.

~~~
colejohnson66
Or Bitcoin mining...

------
driverdan
I'm surprised no one is discussing how unethical Zerodium is. Selling
undisclosed vulnerabilities to the government for a tool designed to protect
users from government oppression is about as unethical as you can be.

~~~
gizmo385
Can you really call TOR a tool to "protect users from government oppression"
when the project itself is majority-funded by the US Department of Defense?

~~~
valarauca1
Yes you can.

You just need to accept that the US Government's agenda of regime change in
Vietnam, China, Iran, Cuba, Egypt, Venezuela, North Korea, Belarus, Russia,
Ukraine, and Turkey is the correct course of action of the continuing
development of international human rights.

Also it helps to ignore any chance that there could a majority of the
population who sees their government's action as necessary, just, or even
acceptable. They're simply wrong and uninformed due to the oppression of their
government. Western European liberal capitalist representative democracy is
the only successful government which stands the test of time, we have nearly
200 years of data to support this, every other model by comparison simply
doesn't work.

~~~
EthanHeilman
>You just need to accept that the US Government's agenda of regime change in
Vietnam, China, Iran, Cuba, Egypt, Venezuela, North Korea, Belarus, Russia,
Ukraine, and Turkey is the correct course of action

I would like to see some citations that the US is pursuing regime change in
Vietnam, Egypt and Ukraine. The US is a direct supporter of both the Egyptian
and Ukrainian governments and on fairly decent terms with the government of
Vietnam.

>Also it helps to ignore any chance that there could a majority of the
population who sees their government's action as necessary, just, or even
acceptable. They're simply wrong and uninformed due to the oppression of their
government.

How do you gauge the support for censorship within non-democracies like North
Korea especially when opposition to censorship may be brutally punished? I'm
not saying that the population of North Korea is anti-censorship, I don't know
what they believe. I'm curious how you arrived at the conclusion that they are
pro-censorship.

~~~
valarauca1
To your first point.

The goal of TOR is to subvert local attempts to control internet access.
Generally this takes the form of censoring pro-western internet views as the
internet in its more open access form the internet is a product of the western
hegemony and its filled with praises for the western hegemony's polices and
its propaganda.

Attempts made by Governments to censor the external internet, and attempts
made by those outside of the government cannot escape the political elements
of their actions. The goal is either the preservation of the current regime,
or the change/overthrow of the regime/party/structure all political actions
boil down this.

In light of these facts. The diplomatic relationships effectively serve as a
short term tools, while projects like TOR are long term tools. The former
exists for PR, and making concrete treaties. The later exists for building
political divisions over longer periods of time which can trigger national
instability and crises. See: Arab Spring.

    
    
        How do you gauge the support for censorship within non
        democracies like North Korea especially when opposition to
        censorship may be brutally punished?
    

DPRK regularly has multi-party elections so I think we could gauge how the
people vote?

~~~
EthanHeilman
My first point was that you were saying the US is working to bring about
regime change in Vietnam, Egypt and Ukraine. I suspect this is not the case
for the reasons I gave, but I'd be willing to look at any evidence you have
for this.

>DPRK regularly has multi-party elections so I think we could gauge how the
people vote?

In a country such as North Korea where even minor disagreements with the
government result in torture it seems unlikely to me that a non-secret ballot
would be an effective way of gauging public views on controversial issues.

------
kodablah
Hrmm, can execute JS in FF's JSON viewer it seems. Still even with JS
available there are more steps required to deanonymize.

> This Tor Browser exploit was acquired by Zerodium many months ago as a zero-
> day and was shared with our government customers

Of course it was. The surface area of browser tech is just so large. We need a
subset of html+css and a browser that only renders that with a really simple
implementation (plus side, low bandwidth and terminal friendly). Not a full
browser with features conditionally disabled. I haven't put enough thought
into client-side scriptability so I'd punt on it for now, but I did put
thought into other parts the other day [0]. Many onion services don't want all
the features of the modern web anyways. The TBB can still exist for users of
full sites of course.

0 - [https://github.com/cretz/software-
ideas/issues/92](https://github.com/cretz/software-ideas/issues/92)

~~~
pcwalton
There's no need to go that far. Just do what Mozilla already did for legacy
addons: kill them.

~~~
kodablah
For this issue and for JS execution maybe. But there are so many features in
modern browsers that the cat-and-mouse game of waiting for vulns to know
you've hit all of the places for fingerprinting and other deanon is untenable.
Couple that with extensions TBB bundles by default, e.g. https everywhere, and
the surface area is even larger.

TBB has value for general browsing, but secure browsing needs to be by
document format as much as implementation. Right now, the only reasonable
option for onion services is to have their site browsed via the large,
feature-rich bundle. Unfortunately, it requires a good bit of funding to build
a document browsing platform of any size so I definitely understand the
current practical approach.

------
TACIXAT
Speculation: Zerodium has an 8.x RCE and burns the 7.x noscript bypass to get
users to the new version. Added bonus of publicity.

~~~
legatus
That's an interesting explanation. "We have decided to disclose this exploit
as it has reached its end-of-life and it's not affecting Tor Browser version 8
which was released last week. We also wanted to raise awareness about the lack
(or insufficient) security auditing of major components bundled by default
with Tor Browser and trusted by millions of users." is the explanation
provided by Zerodium. End of life? Raise awareness? Sounds like shitty PR to
me... There must be other explanations. Anyone has any idea, beyond the one
already provided above?

~~~
emerongi
Maybe there's a slight chance that they just want to undermine Tor and make
people question its security.

But honestly, the parent's idea seems quite likely.

~~~
rav
If they're in the business of buying and selling Tor browser zero-days, I'd
think they shouldn't be undermining the adoption of the Tor browser...?

~~~
emerongi
Some agency might want to do that. Could have just paid Zerodium to make such
a strong statement.

~~~
loa-in-backup
Cheaper than decrypting and mitm-ing all this traffic. Scare ordinary people
away, more likely it is to random pick a valid target

------
yeloboy
Strip the javascript engine out of the Tor browser, it has no reason to be
there. It beats the purpose of using Tor if you're gonna allow Javascript to
run.

It'd be much easier to just strip it all out, despite breaking site support in
the process. Especially since Tor is usually used to access hidden services
instead of the clearnet.

~~~
evilpie
Firefox doesn't work without a JavaScript engine.

~~~
flatiron
what about just toggling javascript.enabled ?

~~~
tmpaccount823
I can confirm that setting javascript.enabled to false would have prevented
that bug in older versions.

I've always thought that the highest security setting would set it to false on
its own, but apparently it does not.

------
laken
Wow, that's quite the vulnerability.

Several years ago, the FBI used JS-based identification scripts on an entire
hidden-service hosting service to identify visitors.

[https://www.wired.com/2013/09/freedom-hosting-
fbi/](https://www.wired.com/2013/09/freedom-hosting-fbi/)

I wonder if it's already being used in the wild by governmental agencies.

~~~
otriv
The article says:

> This Tor Browser exploit was acquired by Zerodium many months ago as a zero-
> day and was shared with our government customers.

It's a possibility that it has been used. I'm not sure if a government would
buy an exploit and not use it before it's patched, unless they couldn't find
any use for it. This exploit is different than the one the FBI used on the
child porn site though. They'd need to combine it with something that can
bypass the Tor Browser's socks5 setting. It would be a much bigger deal if
they had an exploit that could do that.

~~~
djsumdog
> This exploit is different than the one the FBI used on the child porn site
> though

I was wondering if this was related to the Playpen case. I thought the FBI
refused to release any information on that (and subsequently charged were
dropped against several of the people they arrested).

Who has discovered with was the Tor Brower's socks5 setting?

------
Tepix
Woah! I'm wondering - is this a side effect from disabling JavaScript using
NoScript instead of using the "javascript:enabled" flag in about:config ?

Also, what's a good way to capture all HTTP traffic (after decryption) to
find/analyze exploits like this being used against me?

------
pcwalton
An important takeaway from this is that legacy addons in Firefox were
dangerous. The API was too large and powerful for most developers to use
safely.

Web Extensions were designed with security in mind and are much safer as a
result.

------
jermaustin1
Is it ever valid/legal to accept multiple content-types like this? Or is this
a regression bug that was introduced?

~~~
deathanatos
This isn't even "multiple content-types", the value is just malformed. The ";"
would normally introduce parameters to the content-type, such as in
"text/plain; charset=utf-8". Here, "/json" is just garbage.

It isn't allowed to have multiple content-types. (And it would make no sense.)

~~~
jermaustin1
My thought was for a "mixed media" like multi-part form data. Maybe the
response would be text/plain; text/json (or shortened because the first one is
text/plain to just /json).

I will do mental gymnastics to try and figure out if something was meant to be
a certain way or not.

