Although the method of the attack didn't directly break Tor/VPN, the nature of it has compromised confidence in those technologies.
What good is using Tor or a VPN if I can't be sure any web page I load will compromise me? Suddenly every single link becomes a potential land mine... is the web server compromised? Is it safe?
You could argue that, of course, loading a malicious web page will do malicious things. But in this case, the malicious code is compromising all further web activity as well from the sounds of it.
AIUI the issue only occurs when you're browsing through tor with a browser profile that also contains logins to chinese websites linked to your identity.
This is why you shouldn't run your regular browser session through TOR for critical work and use the tor browser bundle instead, with a separate profile, with a as-paranoid-as-possible configuration (minimal cross-site requests! use µMatrix, not just noscript) if you really want to information leakage.
Tor itself can only do so much, it doesn't magically prevent your browser from telling the world that you're person X.
@dang: if one flags such a click-baity headline, will the account get banned/shadowed for that task? How do I know if my account has crossed the invisible line? Who can check that? The karma ratio indicator vanished from the profile page.
HN title reads: China has now compromised VPNs and Tor
The NYT title, "Chinese Hackers Circumvent Popular Web Privacy Tools", is more accurate than the HN title. China has not "compromised" TOR and VPNs, they've circumvented them. They remain intact and working as designed. "Compromosed" is the wrong word here. "Circumvent" is the correct word.
TL;DR: Tor and VPN are safe. What they did is hack some big Chinese websites (or force them to be vulnerable or something). Then when a Tor or VPN user visits one of these websites they can be unmasked somehow. It's unclear to me what malicious code is used, whether you need to be logged into one of these websites, whether it can then unmask you when you visit other (not one of the hacked) websites, etc.
Another point of interest in the article might be the fact that they blocked VPN protocols to prevent people from using them. And, in case you missed it, the Chinese government tried to knock Github offline by hijacking a Chinese website's traffic (Baidu).
---
This is a really terrible article. It doesn't really explain how it works, claims a government cracked things that are uncracked, claims it's the Chinese government while that's only assumed (based on "who else would go to such extensive lengths" mentioned by someone), and misnames things. For example:
> The vulnerability, known as JSONP
Uhm, no. This is JSONP:
> JSONP [is] a communication technique used in JavaScript
"What made the attacks particularly serious, Mr. Blasco said, was that as long as the victims were logged into China’s 15 top web services — including major portals like Baidu, Taobao, QQ, Sina, Sohu, Ctrip and RenRen — the attackers could identify them and siphon off their personal digital information, even if their victims were logged into Tor or a VPN.
They did this with the aid of a particularly serious vulnerability that 15 web services in China apparently never patched."
What does any of this mean? I really can't figure it out. I thought it was standard advice to never, NEVER log into anything which can identify you while you're using Tor (which is why the best way to do it is from Linux distributions on a stick). And the talk about Facebook fixing this "gaping whole" in their security... If someone could clarify all of this, or maybe provide a better link, I would be grateful.
The interesting take away here is that Chinese web services deliberately delay/don't patch their services to accommodate Chinese spoofing. In this case the JSONP vulnerability from 2013 allows them to hack a users computer, thereby compromising any data on that computer.
Sounds like incorrect use of Tor? I suppose while using it you still must take care to not send stuff along that could compromise you, like your Facebook login cookie?
Virtual methods and functions behave very differently from an extensibility point of view. I much prefer using named parameters or replacing the bool with an enum.