Tor security advisory: Old Tor Browser Bundles vulnerable

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

So the Iceweasel browser included in the latest Tails is okay too? (17.0.7)


apparently windows gives zero day exploits to the nsa before they even patch the systems.

Lovely nsa

If you ran NSA, GCHQ, Mossad, where is the first place you'd put a covert agent? MSFT, right? Ever wonder why they keep finding all those vulnerabilities that require update after update? Many of their employees work for intelligence agencies from all over the world. The Russians put something in, we take it out and put something else in, the U.K. agent finds it and takes it out and puts something else in. With apologies to Disney, "the circle of surveillance continues." It always will with software that does not have source code openly available.

"It always will with software that does not have source code openly available."

Gene Spafford, from circa 2000-2002:

"the nature of whether code is produced in an open or proprietary manner is largely orthogonal to whether the code (and encompassing system) should be highly trusted."

"From this standpoint, few current offerings, whether open or proprietary, are really trustworthy, and this includes both Windows and Linux, the two systems that consistently have the most security vulnerabilities and release the most security-critical patches."

How many people, who actually possess the requisite expertise, actually examine ALL of the code?

think they wouldn't spend the few hours kissing up to governments that could shut them down or make their life hard _-_ US just goes after people's privacy

Spoken like an individual who be lives in the rule of law. Have they ever had the opportunity to see the inside workings of governmental systems. Well, in governmental/sovereign both of these there exist something called "summary judgement". A summary J is what happens when you p** off a "social worker" & they tell you your average spend down has been cut by $1,100 a month. On the top end we have the Feds who "regulate" (some saw fix) the market. A city may decide to improve their coffers by taking your property. Of course in the latter you may under federal statute fight it but to we who are slaves to systems that never existed a month ago ( & we bloody well better wake the hell up, sorry for the out burst) all ready know that what ever BAR we reach they will make higher. What are people saying? OK, remember the housing problems 8+ years ago where your home mortgage was sliced & diced? Well that's what's going to happen to your entire lifespan. Just one wrong entry & kiss your savings, car, home, + your retirement & if you need electricity for medical equipment by-by . So it's not just the collection of all your bits & parts but finding yourself rearranged like Frankenstein's "Monster" & shoved into a "no-fly list". I'm really not sure if you will get it until you one day find situation in a preterminal state or worse a slave till you die. Hope being frank is tolerated. Otherwise ta.

tor is rip
good times for live.
good times for rip.

It only targets Windows users.

So basically if someone had JS enabled but had updated their TBB within the last month they wouldn't have been affected by the malicious JS?

Theoretically, at least.


And TBB would have shown a red or yellow warning on the home page in the last month telling us to update?

Yep, although there is one specific build of TBB with FF version 10 that for some reason did not mention that.. But part of this Javascript attack was that it checked to see if you were running version 17.xx (this was a vulnerability associated with this version).

Look around to verify if version 10 was affected by this malicious script.

That is purely wrong and misinformation from people who cant read the code!

The script checks for "document.getBoxObjectFor != null"
Which is a function removed in FF3.6(!!).

It also checks as an OR for "window.mozInnerScreenX != null", which is implemented in every browser using the mozilla engine.

So the script doesnt give a damn what version you have. Every mozilla-based browser is targeted (not only firefox). It works for every single FF version under the updated one.

That's only the injected javascript. The javascript served up by the hacker/government's server parses navigator.userAgent for "Windows NT" (exiting if not found), "Firefox" (exiting if not found) and the version number. In function b() it says if(version <17){window.location.href="content_1.html";} in other words redirecting to a different page on the hacker's server that presumably contains a different exploit for versions < 17 (nobody seems to have a copy of that file so it may do nothing as well). if (version >=17 && version<18 ) it sets a global flag which it checks later to see if to proceed with the exploit (if the flag isn't set i.e. version >=18 it exits).

I'm sorry but I'm very tech illiterate (cant read code). Are you saying that the TBB released after June 26 are also vulnerable to the attack? This seems to go against everything I have read regarding this attack.

If I misinterpreted what you meant, I apologize.

You are half-correct. You are talking about the script that injects the iframe. The actual exploit loaded into the iframe only attacks Firefox 17.

So in your opinion, the actual exploit (sending off MAC and IP to LEA), only occurs with FF 17?

To be redundant here, 17.0.7 looks to be safe from THIS particular attack even with global scripts allowed?


Well, that makes me feel much better. Don't surf CP websites but I did use TorMail and I was worried that I might have been 'pwn'd' by this exploit.

Thankfully, I installed the Alpha2 latest version of the Alpha TBB almost 4 weeks ago so I was covered and I was using a non-exploitable version of the TBB bundle before that.

For Ubuntu users, Micah F Lee's torbrowser-launcher makes updating your TBB easy and painless.I highly recommend it:

What does the Tor Project say about this?

Please tell me why any self-respecting Linux user use TBB instead of Tails??
Honestly, same goes for Windows users, why not use tails?

Like many others, I use Tails whenever possible. But, where I cannot boot from USB (such as at work), I have to use TBB, which is better than nothing.

Simple enough to answer. Connections and bandwidth. Not everybody in the world, and especially in rural areas of one country in particular that prides itself on being a leader in technology, has access to broadband or even reasonably fast internet. Downloading an 800+MB ISO image, even as a torrent, is a painfully long process over dial-up! By the time the current version downloads, the 'Unlimited' (translate to 300 hours/month) dial-up account is exhausted for the month, and chances are you have to download a new version anyway as an update has been released.
Oh, when you have broadband, it's easy to say why would someone use the smaller option when the larger one is better, but look at the other side of the digital divide and the answer becomes quite clear.

Please tell me why any self-respecting Linux user use Tails instead of Whonix??

The large developer and security analysis community around Tails, compared to the voice-in-the-wilderness aspect of Whonix?

The VM approach is better in theory, but not yet clear to be better in practice. Please help!

what about tails?

Read the advisory!

Thank you very much for all the time and work you put in this.

At least now we can calm some people down a bit.

Agreed. The TOR Project staff are wonderful! Not to mention totally professional.

If only they would pull their heads out of their asses and disable javascript by default. They were warned, they just wouldn't listen, even now.

Spot on mate. It's minor annoyance for those of us who're happy to dive into noscripts settings, but potentially life changing for those out there who trust the bundle to have everything covered out of the box. Can't help but think that when there's no good reason to have it so, the reason for having it so must be 'no good'.

Is Firefox 10 ESR also affected by this exploit?

I believe Firefox 10 does not trigger the attack, but I also expect it's vulnerable if somebody were to attack it.

Firefox 10 is bad news. Don't run it.

I always forget to update Tor. It would be nice if Tor had an auto update option.
I click on some links with Firefox 10 EST that some people posted i really hope the vulnerable didn't work with Firefox 10 EST :-(

Yes it was attacked and it did trigger something. But nobody is talking about it.

if(version <17)

Sure looks like you're right.

Let us know if anybody can find a copy of content_1.html.

All attempts to obtain content_1 from the exploit server failed. It appears as if the exploit was cut down from a broader attack.

How sure are you of that, are you one of the experts who tried it themselves, or could you link a source please? Do you mean to say people actually used the older versions of the browser (or spoofed the version) and tried to get this page the same way content_2 was obtained? There are many people who are worried and very interested in this, from what I'm reading here and on other sites.

I'm not the same anon, but I've been trying for days to get content_1.html off their servers (both the direct IP's and their onion-ized version). In fact, get anything including index.html but the server was either down or the files weren't found. BTW version 17-18 will get content_2 and 3. Only if version < 17 does it do a complete redirect to content_1.html where then something happens -- nobody knows.

The paste mentioned above, line 190: "content_1.html" was never obtained.
The mozilla bug ( on this, comment 13 refers to content_1 as "the bailout page".

Yes, it does trigger the attack.
The function checks for:

"return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));"

document.getBoxObjectFor is a function removed in 3.6.
mozInnerScreenX is implemented in every mozilla-browser.
It does not specifically check for a version. It even executes on FF 22.
If the malware can go through though.. I dont think anyone can actually test that practically.

That's only the server-side injected code, there's a ton more code (and the actual exploit) that's loaded in the iframe.

The iframe is injected in any mozilla-browser. The exploit in the iframe only runs on Firefox 17.

Cautiously assume all Firefox versions since 3.x have the vulnerable code. This particular malware possibly only worked for 17 ESR on Windows though, with JavaScript enabled.

Here's a simple rule-of-thumb for any piece of software that is subject to critical vulnerabilities (such as web browsers; email and chat clients, etc., and, of course, operating systems): Always keep it up to date:

Make sure that you:
- are checking for security updates (whether automatically or manually) at LEAST once-a-day
- are downloading and installing said updates as soon as they become available
- discontinue using anything as soon as security updates are no longer issued for it

The Tor project should all but *force* users to install new updates each time they run Tor.

I'm not sure if automatic updates are the best strategy, but before the browser even opens you should check for updates, and if it finds any security updates, the user should have to click through an insane series of warnings before they can use the old version.

Also, updating should be a one-click affair. You shouldn't have to download a new app and install it (which I think is currently necessary on Mac at least).

This is going to keep happening, and given tor's usefulness, some of its users will not be very sophisticated, and won't understand the implications of not updating. You've got a duty to protect them.

Automatic upgrades are on the way, based on discussions at the Munich dev meeting in July:
But there are many logistics issues to work out still. Please help!

Forced updates are very, very bad as they can be exploited. Just think somebody breaking into the update mechanism could then attack all users successfully. One-click is about as bad.

That said, a version check on start _via_ the TOR network, e.g. on the verification page may be a good idea.

Security comes with some effort you need to invest and some level of constant vigilance. Still, many people will still not update unless forced to, even if there are very clear warnings that are hard to overlook. But forcing upgrades will put everyone at risk and is hence unacceptable. There are people that will be careless under any circumstances and nothing can be done about that, it just has to be accepted that there are people that cannot be kept safe.

Forced updates when done properly are very very hard to exploit.... the trick is, like with anything else, in figuring out how to do them properly.

Please keep in mind that if you CAN do something then you can be REQUIRED to do it.
What i mean is this... if they set up automatic updates then the NSA (or the FBI) can REQUIRE them to send to their users trojans just as well.
This is nothing new... it happened for instance with Hushmail in the past
Hushmail had to comply to a court order who forced them to send a keylogger to one of their users to catch the password he used to encrypt his email stored in Hushmail... and they could do nothing to resist it.

So... if you CAN do something, then you can be FORCED to do it.

I think the solution is to simply disable javascript and make a warning dialog popup whenever you try to enable it. If you are stupid enough to enable javascript even with a big red warning dialog that warns you that you are fucking yourself up then you just deserve it.

Also the program should warn the user that a new version is available but without links to automatic download any content. So the user has to go to the official website and download the official release.

"if you CAN do something, then you can be FORCED to do it."

"if they set up automatic updates then the NSA (or the FBI) can REQUIRE them to send to their users trojans just as well."

Couldn't a TLA or any savvy-enough adversary ALREADY sneak malicious code into TBB or other Tor packages?

How many people CAREFULLY READ-THROUGH ALL the code?

How many of those who do carefully read-through all the code are expert enough to detect anything rogue in it?

And, finally, how many of those who carefully read through all the code and are expert enough to detect anything rogue in it (and are looking for such) would ALSO report and publicize it should they find anything suspicious?

that is what cryptographic Hashes are for. I personally would love a hash checker that would check for several hashes. and then tell you if more than one checks out. It is much harder to fool several hashes than to only fool one by the length of one hash multiplied by the other(s) approximately..

Anyway I wish the load would generate the hash and allow you to check the hashes of other programs and check them with those found in whatever source(s) you wish to point them to.

Who was it that said that difficulty directly reduces security. That is why i really like the keep it as simple as running a TOASTER concept. Yes I would consider running an update button before I would download a new version for a number of reasons. 1stly I am a very new convert to lunux! (UBUNTU)

I had the problem of having two (apparently!) instances of TBB.

tor would not load!

So I was forced to go back to my download and start from the start TBB there.

It worked!!!

I have not seen this fix anywhere.

Anyway my point is that it is HARD to be secure!

TBB is great in that it makes a NUBIE like me able to get some security.

Also the more people who use NON_Back_Door_Encryption The more junk the NSA has to break the encryption for.



Its not a case of doing it properly.
It wouldnt be the first time, an auto updater updates malware without you knowing.
And a company cant assure anyone that this wont happen any time. If they do, they simply lie to your face.

Especially for the TOR project, which is funded 80% from the US gov!!

Most of the updating process (including verifying signatures) can be easily automated, for example, using PowerShell, especially since TBB isn't really properly "installed" so much as "unzipped".

This really sounds dumb. First you want to "force" your ineptitude with technology on other users, and then want to blame Tor developers by accusing them of not fulfilling a duty to others. Man, you just love to play the blame game and evade responsibility for your own actions. These are decisions "you" make. Learn to live within your (technical) means, and let the rest of us live within ours.

You don't need to force people to upgrade, just have something on the homepage that tells them that the version is insecure and they should upgrade to reduce the risk of being exploited. Apparently javascript exploits have been around before, I didn't know they were possible, if more people knew they were possible and the risks they would upgrade without being forced.

And for goodness sake - disable javascript in noscript by default, and don't leave any sites in the whitelist. This is how I start off, and I then I make decisions on a site per site basis (eg. Do I really trust this site??) :

"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

(all emphasis mine)

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

The idea, I think, is that since TOR has javascript enabled by default, you can hide amongst all the other TOR users running their system on default by also keeping your JS enabled. Basically, you stay anonymous by hiding in a crowd. Keeping JS disabled everywhere makes you part of a smaller crowd of TOR users who have their JS disabled and selectively enabling for some sites and not for others makes your browser settings unique, giving you no crowd to hide in, which is very bad when you are trying to remain anonymous.

From an anonymity perspective, it makes sense. But I will agree, that definitely does not make you safer, especially if you are running a Windows OS on a privileged account. But that can also be avoided by running your OS on a low security setting, especially if that OS is not Windows. JS can deploy self-executing exploits all day long on a linux system running at a low security level and do nothing.

It doesn't matter how visible a notice or warning is, some people will completely ignore it and move on.

Source: I used to work tech support on a college campus. Also, retail.

"It doesn't matter how visible a notice or warning is, some people will completely ignore it and move on."

But once as much as can be reasonably expected has been done to warn, then the responsibility rests upon the user who ignores the warning.

"some of its users will not be very sophisticated, and won't understand the implications of not updating."

I don't recall sufficient details about the warning that flashes when a deprecated TBB opens.

If the warning:
a) is practically impossible to miss,
b) explicitly the conveys the danger of continuing to use the deprecated TBB,

well, then any user who ignored such a warning would have THEMSELVES to blame, don't you think?

The warning should read something like:

"A new version of TBB is now available. You are strongly urged to update immediately. The version you are reading this in has known critical *security vulnerabilities* that may be used to compromise the protections provided by Tor as well as harm your system in any other number of ways."

So i am running 2.3.25-10 version from June 26 2013 but may have had java enabled and visited tormail ... am i covered by the fix in the latest version ?

Assuming you meant Javascript, you should be ok against this particular attack.

If you mean Java... please learn why Java is bad.

thanks ... i meant javascript ... and thanks for keep our anonymity as secure as possible ...

Interesting. So it took "them" about 4 weeks from the patch (Firefox was patched a day earlier) to an implemented larger-scale attack. Not too bad for a bureaucracy.

But this also clearly says the Tor project is not to blame. Being 4 weeks behind with security patches is unacceptable for something like Tor, and the mozilla folks called the vulnerability "critical". This vulnerability does not even really qualify as 0-day, even if the mozilla advisory just says "crash, can possibly be exploited".

Someone sent Oath Keepers and someone fighting NDAA child porn in an attchment. Through TOR. Oath Keepers then notified FBI.

I use the Vidalia package form last year with a FF version 10x. Is my setup at risk from this exploit?

Heck yes. Your browser is unmaintained -- Mozilla has abandoned it. Upgrade!

Your browser is vulnerable to this type of attack (and many others) indeed, but the attack implemented on Freedom Hosting sites specifically targets v17 of Firefox, thus it's likely that your identity has not been compromised if you've visited any of these sites with v10x.

I still don't understand it all - sorry in advance :)

I've read several different things about the exploit, one mentioned a tracking cookie that could not only reveal your IP but also every other site visited while the cookie is active.

So for my question:
Does the script just tell the server the site you got it from (e.g. Tormail) and your real IP or does it track all the browsing of the current session?

Not all browsing. Only freedom hosting sites.

FF 10 is so outdated the lastest FF release is V22

Sorry for the stupid question, but one thing would be interesting for me: I had an older version of TBB installed until friday, but JavaScript was globally disabled. Can i be affected?


I wish Mozilla would take memory safety more seriously.
Almost all releases contain:
'Miscellaneous memory safety hazards'

Much JavaScript in Firefox codebase also violates sound practices and advice from Douglas Crockford in "JavaScript: The Good Parts".

It's sad to see that lots of JS code use the (bad) == equality operator, instead of the (good) === operator.

There are static checking tools available.

But I'm pleased to see that Tor is starting to take TDD seriously. Thanks for that!

The WWW in general has gotten way ahead of itself and should never have been allowed to get as far as it has with all of the numerous, multiple security threats, many never even /accounted/-for, much less adequately dealt with.

Critical infrastructure and at least a great deal of the critical data that has been placed onto the Internet should never have been.

Yet another example of what happens when you allow the "Free Market" to dictate; to be the arbiter, etc.

I don't hear anything outside of the Tor Browser. What about the pluggable transport version obfsproxy for Tor? I believe that version of firefox is 17.0.6.

Is this safe, because there hasn't been an update or an announcement for this particular package?

Also, for us non-techs, would we actually know that the browser was affected, if something took place. Any explanation would help. Thanks!

There is no safe version of the (experimental) Pluggable Transport Tor Browser Bundle currently. That's because nobody's been updating it. :(

Keep an eye on
for updates.

"WARNING: This pluggable transports thingy is still in the EXPERIMENTAL stages and should be used only for TESTING purposes-- not for anything critical."

Is there a reason why you don't include such a warning in posts such as the one at:

Question: In a German newspaper they say that you tor-developers suggest not to turn off javascript. The newspaper states that it would be more suspicous then protecting.

What can you say about javascript. I disabled it for all sites because of possible attacks like this.

Javascript on or off - what is the better way to surf safe?

Javascript on or off - what is the better way to surf safe?

That depends on what you mean by safe.

The Tor Bundle ships with Firefox as the browser, and includes the NoScript extension to Firefox that blocks scripting if the site is not in a user-maintained whitelist.

The problem is that disabling JavaScript by default breaks browsing for people who want to access sites that require JavaScript to work correctly. Most Tor users are simply concerned with anonymity, which means not having their actual IP address available to the site they are viewing. When you go through Tor, the origin address the other side sees is your Tor exit node, not your real IP.

The Tor Project chose to enable JavaScript globally to avoid problems for the majority of users who don't care if it's enabled.

I don't know of any way to get a real underlying IP address of a computer with just JavaScript. Getting the real IP address requires OS level operations JavaScript isn't allowed to do.

If you run the Tor bundle, click Addons. In the Addons window, select NoScipt, and click the Options button. Uncheck the "Scripts allowed globally" box.

JavaScript will now be off by default. NoScript will warn you if it has blocked JavaScript execution when you visit a site. If you trust the site, you can add it to NoScript's whitelist, and JavaScript will be permitted for that site in the future.

Great explanation, but one further note -- you say "if you trust the site", but if the site is giving you content over http, then you really mean "if you trust the site, and also the network connection between you and site". And whether you're using Tor or no, that decision gets quite complex. Even worse, we've seen evidence lately where state-level adversaries can fabricate https certificates for other sites -- so we need to append "and if you trust the 200 or so certificate authorities to all behave perfectly" to the list of if's. Rough world out there. (That said, raising the bar does help.)

Unfortunately those who trusted the sites hosted on Freedom Hosting, and added them to a white list, got caught by this exploit. After today, JavaScript must be off in TOR at all times, because new vulnerabilities like this will pop up in the future.

If you want to be private, you have to disable JS, no matter how trusted and secure a site may be. There is no way around it now. FH was a trusted, untraceable onion hidden service.. and yet it fell and was injected by malicious scripts. TOR must ban JS completely starting today.

If you use JS you can be caught by such buffer overflow exploits, and your real identity will be revealed. And if you don't care about protecting your identity, why use TOR?

One should consider if banning JS from all browsers is not the right thing to do. If any malicious executable code can be run at will by JS, imagine what this could do in the hands of criminals. It could install a keylogger on your pc with ease and gain access to your bank accounts, or worse.

It sure would be nice to have an easier interface than Noscript's, for enabling Javascript in a just-in-time way when you decide you want it.

That said, while Javascript is indeed a big vector for attacks, don't think you've solved everything by disabling it. Another enormous vector is svg and pngs -- it is absolute crazy-talk to just blindly accept images from websites and render them. No reasonable person would allow images to load in their browser. The number of recent vulnerabilities in libpng alone should be enough to convince you.

That said, I sound like a paranoid maniac in the above paragraph. But hopefully it will make you stop and think. How did we get to this point in browser security, and how do we recover from it?

Write a secure browser from scratch and don't bother cattering to people's retarded demands like being able to run the latest and stupidiest web 4.0 gizmo.

Problem is, you want a browser that the dumb masses can use in every dumb web site...Looks like your problem can't be solved.

Yes, write a browser that does not include javascript except as a plug-in.

Re: How do we recover from it?
The best defense is a good offense. It is probably impossible to prevent all hostile surveillance - either by government or the private sector. But, you might consider making it worthless.
I don't much about spam. Send me meaningless messages, and I will just ignore and delete them.
Suppose you developed an application that waited for your computer to be dormant for a certain period, then composed totally junk email using random words from a dictionary, and sent those messages to random people who use the application (by using the application, you would consent to randomly receiving a bunch of junk). You would clog surveillance servers with nonsense.
Develop another application, as above, that doesn't send anything, but simply goes from one "G" rated site to another, again randomly. Again, the surveillance folks would be clogged with junk.
Now, if you want to make things interesting, search "phony research papers" and you find a site at MIT where you can enter your name and it will crank out a phony technical research paper. Total nonsense. Use those for the email messages.
Want to make it more interesting, encrypt all the email with PGP.
For those - like me - who are truly malicious, generate the phony research paper, then use a word processor to change one of key words in the paper to "uranium deuteride," "virtual cathode oscillator," "high purity fluorine," "10 guage, high purity aluminum tubing, 3 inch ID," etc. Don't forget to encrypt it! (Also, be really familiar with the FBI's "triple threat" surveillance program IN ADVANCE! And, don't do this unless you enjoy excitement because you're going to get plenty.).

I've already created a Chrome plugin that does this to some extent.

So, just to make it "easier" to browse, TBB effectively facilitated this attack by having JS on my default despite cries for it to be disabled? Nearly all new major Firefox vulnerabilities involve breaking the sandbox with javascript, yet the TBB insisted that it had patched all *known* vulnerabilities and so users were supposed to believe running JS was some sort of acceptable risk!

I don't know how many people complained to both TBB and Tails that Javascript should be OFF BY DEFAULT but they kept coming back with this same old horseshit. Tails devs refused point blank to even add a bootcode to start Iceweasel with javascript off!

This all stinks to high hell.

It's not that simple. Did I not read above that if you had the most recent release of the TBB that you were immune to this attack? What it means is users should always make sure that they are using the latest release. It's pretty obvious too because the default home page for the TBB is‎. Now this isn't a perfect solution because the government could perform a mitm attack to make users think they had the latest version when they didn't. However if I'm not mistaken they are working on a better solution. Also- I'm not arguing javascript should be on by default although I think to say it should be off by default overlooks the issue that doing that would decrease the Tor user base which hampers security as well for all users.

It might be worth developing a plug-in with a big button that says 'secure mode' and one that says 'risky mode'. The secure mode would automatically be enabled for .onion sites where the onion sites would then be expected to comply with the 'secure mode' design (since all such sites for all intensive purposes must be compatible with it). The first thing you see when opening the TBB is an explanation of this 'secure mode' and the 'risky mode'. If you select the risky mode on non-Tor sites you should get a warning "Are you sure? There is a decent chance you will be putting yourself at risk" with continue, cancel options. This way it is a little more difficult to accidentally turn on 'risky mode' and at the same time non-technical users wouldn't find the TBB difficult to use.

"for all intensive purposes"

Yeah, a lot of those .onion sites can get pretty intensive...

( I think you meant 'for all intents and purposes')

People who had the most recent version where not immune before the version came out.

The advice given in the final two paragraphs of the above post explicitly and completely contradicts that given in the Tor Project FAQ:
(all emphasis mine)
"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

( )

I am absolutely appalled that arma not only effectively endorsed, in general, this post that so contradicts the FAQ maintained by her organization but actually went-on, in a subsequent post, to clearly imply endorsement, specifically, of selective enabling of JavaScript while using Tor:

"It sure would be nice to have an easier interface than Noscript's, for enabling Javascript in a just-in-time way when you decide you want it."

Thats bullshit that if you disable JS you will be less anonymous. Just check EFF site doing browser fingerpainting.

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.


I was merely QUOTING the Tor Project FAQ and noting the glaring contradiction between what it says and what "arma", a representative of that very same organization (The Tor Project) wrote here.

People should be demanding a response to this CONTRADICTION.

If majority of users have javascript on, and you have it off, you are suspicious.

It's far better to feed observers a made-up timzone, size, color depth, and system fonts.

I vaguely suspect there's a plugin for that.

LOL like that matters, you are already "suspicious" if you come from a tor ip.

Im using version 17.0.7 without Javascript, am i ok??


Fucking ZOGProject!
I hope you die!

To WHOM is your comment directed?

So what is the safest way to run the TBB with java and JavaScript turned off?

I use tor + privoxy and Firefox 22 as a browser, (and i don't use windows od course) am i safe? if not, what should id o? i am a journalist, sorry if my question is a stupid one

You're probably not as safe as you should be. See
for all the things that Tor Browser gives you. You have roughly none of them with that set-up.

Privoxy? really? of course you're not safe. You probably won't have to be worried about this exploit but you understand privoxy can only provide HTTP proxy. right?
There's a reason Tor has dumped it ages ago.

"Journalist". You spelling and grammar tell a different story.

No need to assume he's an English journalist. There are many international ones.

I'd say the question alone suggests that you should not be attempting to use Tor outside of TBB or Tails.

Noscript should be enabled by default or javascript should be disabled by default in tor browser bundle.

it used to be :(

Yeah? When? Everybody seems to think this is true but nobody can point to a version of TBB where it's true.

I would also say I thought the same thing but I realized something so now I am not so sure that this was true with the TBB, but it was true with Vidalia Bundle (which for some insane reason you no longer maintain and i have to add Polio in myself). I think that is the confusion.

I think the following should be done

1. The default home page already does detect if you are actually using TOR and if better versions are available. You could at least add a JavaScript add to detect and inform people that it is enabled. It can be easy to forget right after an update (yet could cost them dearly).

2. If they prefer it disabled then a simple how to could help (yes I know it takes about 2 clicks but many users are tech impaired).

3. Do include something like pre-configured Polipo (or Privoxy which was used formerly).

4. Having NoScript disabled by default does make a certain sense in that is more usable by the tech impaired, yet there is a disconnect here when you consider the current method of PGP checking (not that I recall noticing much good instruction on your site to begin with).

Sure it is easy enough for the technically inclined like myself, but what is the point of the average user getting into TOR while being so vulnerable to a compromised client?

Consider this when the stakes are higher - a whistle-blower/informer/activist. Not all these people will understand how to know the difference and good luck to the non-English speaking activists trying to figure out how to use PGP.

I am working on this myself - mentally at this point. I may slap something good together that will help the less tech adept. It would be better though (more trustworthy) if you guys handed this. It would not really be that hard.

Another thing you might consider is an installer which ASKS people if they prefer things more secure or more compatible with websites. Depending on the question, pre-configure TBB as they have chosen.

As for "it would not be that hard" for the PGP thing, consider that our current instructions for WIndows users start with "download gnupg.exe from this http website". Windows users are screwed at a very deep level. If you have good answers, the world wants to know them.

As for a configuration option for Javascript, keep an eye on

Oh, and you don't want Polipo -- the next code security vulnerability would exploit it.

Waaait a minute. You acknowledge that TBB never shipped with Javascript disabled, but then you say that the old Vidalia bundle did? The Vidalia bundle never included a browser! And the old Torbutton Firefox extension never shipped with Javascript disabled by default.

I think a lot of the confusion stems from people very long ago being confused between Java and Javascript. Also, very long ago (before Torbutton), there were open questions about what privacy-invasive things Javascript could (using the legitimate API, I mean) do to you. Torbutton addressed many of them. But we're talking 6+ years ago now.
for those playing along at home.

1 and 2, at least, sound like good ideas.

im sorry for repeating hearsay without first verifying :(

"Noscript should be enabled by default"

NoScript is is enabled by default in both Tor Browser Bundle as well as Tails but set to allow scripts globally. Even in this configuration, NoScript still provides certain protections, such as blocking cross-site scripting (XSS) attacks[1].

Obviously, allowing scripts globally cannot provide (anywhere near) the same level of protection as the selective whitelisting model that is the normal default behavior of NoScript. So why do both Tails as well as TBB ship with this less-secure configuration of NoScript? This question has been asked and answered many times (both of/by Tails as well as Tor).

The primary reason that has been given is usability; the functionality of many-- if not most web sites-- is heavily dependent upon JavaScript, often critically so.

An additional reason that has been given (both by Tor as well as Tails officials) concerns "fingerprintability".

Here is the relevant part from the Tor Project FAQ:

(all emphasis mine)
"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

( )

NOTES: [1] See, for example:

I believe-- but am not certain-- that NoScript would protect against this threat-- even in the default Tails and TBB configuration where scripts are allowed globally.

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

So if one had FF 17.0 to 17.06, AND had javascript enabled, they are probably compromised.

If javascript was disabled, probably GTG?

Against this particular exploit, yes.

If you're running off Firefox 10 (i.e. not the latest), there's no warnings on the check.torproject page (it says the usual congratulations), and if you check for updates through Options->Help, it says it's up to date! Please fix this because people who rely on this to find out if it's current won't know about this vulnerability.

Which bundle do you have exactly?

And unfortunately, 'check for updates' means 'go ask Firefox if there are updates', which we've disabled in TBB since that's not where your updates come from.

As a general comment, all of this stuff has been going on for quite some time and it is my general reflection that the nature of the problem has to do with either Tor not having enough volunteers working on the problems / code updates / fixes, or not enough money / donations to do this. Not sure if I am right about this, but over the past few months, I have been closely watching the following conversations -- all quite public in posts, with substantial discussions accompanying each post:

1) April 22, 2013: 'Hidden Services Need Some Love'
(Notice the discussion of donations in the comments section, after the extensive post on keys / key length, attacks, hidden services, etc - did this ever materialize? Maybe there is a need for a public funding campaign, perhaps, to address certain ongoing security issues discussed in that post?)

2) June 8, 2013: 'Prism vs. Tor'
(See discussion of keys, donations, etc, in comments...)

3) August 4, 2013: 'Hidden Services, Current Events, and Freedom Hosting'
(Kind of odd that part of the title was 'Current events' since a variety of these issues which led to this have been discussed and discussed and discussed for some time - but again, worth reading, and check out all the comments)

Supposedly Tor is looking for a lead software engineer and would like to hire more people.
I am just guessing, but it seems to me that people would be willing to support crowdfunding positions for Tor bugfixing and development (such as through an indiegogo or crowdrise campaign) -- especially if there was a promise by Tor to divest itself of (that is, get rid of) any connection to DoD funding or staff now and in the future. People are asking questions about Tor's past and present funding. People ask questions about Dingledine. It is in people's nature to ask these kind of questions and to be skeptical. I think one way to address this meaningfully is for the Tor project to lean more on crowdfunding mechanisms to and more frequent appeals to the user base through social fora to participate in financing efforts to support and fix Tor.

In closing, I think it's good that Tor is working with Mozilla in an effort that could bundle Tor into Firefox, and is working towards a day when Tor could be incorporated into Chrome (( post on that here )) but it is obvious that all of this needs funding and support which implies a need for crowdfunding more positions (periodic / more frequent indiegogo campaigns, etc.) to address all of these security issues - or so it would seem.

Funding campaigns are needed.

Your post seems to completely overlook the fact that only those who were running OUTDATED, DEPRECATED versions of TBB were subject to this exploit.

Other than that, you raise some good points, particularly about funding sources.

Observing your other posts here (no I am not an admin, but I can read and see patterns), you seem to repeat the phrase "OUTDATED, DEPRECATED" in your post(s). Perhaps you think everyone is using OUTDATED, DEPRECATED versions of TBB in Windows and that is your issue? Or perhaps you did not read the context of my post above, which had nothing to do with whether or not someone is updating something and everything to do with the issues of torbugs of all kinds (and the problem of how to fund the fixing of them over time whenever they occur, whatever they are).

Also, I suggest reading this -- just for fun (relevant to both java and javascript issues, which I think will be a long running discussion and are in no way settled):


*** Notes:
What is Java?

How is Javascript different than Java?

Is Javascript Enabled In My Browser?

What is NoScript? <-- Read this, if nothing else here.


Does this affect users of Chrome whom have the Bundle installed?

Wait, what?

If you mean "I use Chrome for my non Tor browsing, and I use the Tor Browser Bundle for my Tor browsing", you should be fine. TBB is designed to be standalone and not care what else is on your system.

If you mean "I hacked up some Chrome thing and hooked it up to Tor, am I safe?" then you likely have other problems:

"TBB is designed to be standalone and not care what else is on your system."

But a compromised system absolutely /can/ and is /likely/ to compromise/defeat TBB.

Sure. But it's NOT Tor/TBB fault.

I have the latest TBB. Since Friday (8/2/13) Tormail (RoundCube) is not reachable. Any idea what is going on?

Freedom Hosting, the company who served Tormail, is down. It's all over the news.

I have a 2.3.25-10_en version but it was downloaded and installed 6/21/13 per my computer - is this the same version with the bugfix that was said to have been released on 6/25/13 here?

The bundle went live on the webserver on June 24:

Perhaps you got an earlier version that was distributed for QA / testing? Or perhaps your computer's date is/was wrong? Or perhaps you don't have a real Tor bundle at all?

I am a spaz. It was actually installed on 7/21/13 - I misread the file info. Thank you for your prompt reply and kind assistance

"It was actually installed on 7/21/13 - I misread the file info."

Thank you for following-up.

Since Friday (8/2/13) can't reach Tormail (roundcube). There was a message up about server maintenance, but that is gone. Any idea what's going on?

don't worry, FBI will contact you later

I read that the exploit only effected versions 17 and 18 of FF - I am running 19.0.2.
Is this a browser that would be effected by the exploit?

According to Dan Veditz's post, "The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7."

So your FF 19 has the vulnerability, but this particular attack code would not target it.

It seems that the US police state has learned the ip addresses of people all over the world who committed the non-crime of visiting a bunch of websites.

From a technical point of view that's a big failure for the Tor project. They are responsible for the browser they bundle, aren't they?

Now, what's the legal side of things? The US police state has hacked into computers of people living all over the world. What is the US state planning to do with the information they stole?

Please somebody from the EFF chime in.Thank you.

We do try to keep up with browser updates for TBB, yes. You'll notice that we put out an update in June, and this was exploited in August. People who updated were fine.

As for the legal side of things, I don't think anybody has details on whether it was really the US police state? Not that I'm claiming it wasn't, but it's hard for anybody to proceed without details.

Would EMET with Heapspray protection enabled on a vulnerable version have mitigated this attack?

If our TOR version was from early June late July, would we still be affected?

Find the version you were using if you can, maybe its still hanging around somewhere - the compressed installer. Find those numbers attached to it and line them up with the content of this blog.

Early June probably yes, late July probably no.

I'm sorry, I wrote that comment in a rush, I meant to say mid-to-late June, Early July.

On or around July 30, 2013, while I was at a certain website, my Tor Browser displayed a yellow ribbon just below the menu bar.

It read as follows:

In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values

Question: Has anyone encountered such a situation?

The version of the TBB that I was using at the time is the latest version. My OS is Microsoft Windows 8, 64-bit.

absolute the same here my friend. i did nothing when that message appears as a bar below original bar but it was first time when i saw it. probably im fucked. time to buy another laptop i will burn this one

That message is completely harmless. It is a legitimate message from a recent update of HTTPS Everywhere addon.

I agree.

Same here. Interested if anyone else saw this or knows what it is about. I run HTTPS Everywhere in blocking mode.

I got the same message! But I had never fiddled with the settings of HTTPS Everywhere. Why the need to "reset to default values"?

arma, why no comment from you??

I did, on in both my copy of the TBB as well as my untrusted (regular) copy of Firefox and my copy of Portable Firefox. A new version of HTTPS-E came out that day, but required reconfiguration almost from scratch.

What should one do if they cant remember whether or not they used TOR over the last couple of weeks?

Take some Ginko Vigara. It's for people who don't know what the fuck they're doing.

It's a serious question.

Is there a way I can check to see when TOR was last run?

No there isnt any way. Tor is designed not to keep logs for your own safety. But seriously. If you cant remember whether or not you have used tor in the last week you should see a doctor. Alzheimer's can be slowed down if it's detected early.

Must you be so nasty?

That depends. If you are using Windows then... maybe. Windows uses an NTFS file system. NTFS has something called Last Access Update. Assuming this is turned on, it will update with the last time you accessed a file. Right click on a file and choose properties.

If it is turned off - the date will be the same as the created date. If it is turned on, it will be the last time you accessed the file. In the case of TBB, the last time you ran it. That can tell you(or anyone with access to your computer) when it was last ran.

This is turned on by default in XP and I cannot remember if this is true of later versions of Windows. Mine is turned off though and I suggest everyone turn theirs off. It is not hard - Google NtfsDisableLastAccessUpdate and you will see how.

It is better that someone getting a hold of your computer does not know when the last time you access files is. But disabling this "feature" also improves Hard Drive performance and longevity since you are cutting out a write operation from every file read operation! I expect disabling this would also help laptop battery life to some extent. It is a terrible "feature."

I will add one more thing. If you use Truecrypt to protect sensitive information and you also utilize keyfiles (music files are good but random recorded radio noise is better) then this "feature" makes it very, very easy to figure out your keyfiles. Disable it NOW.

Last Access Time is disabled on NTFS for windows > XP and Windows Server > 2003 unless you cleverly re-enabled the feature. It's disabled for performance reasons. It may even be disabled on those named OS's with the last service packs, but I am only surmising.

I think Last Access Date (no time recorded) is still enabled by default on FAT volumes, but I could be wrong.

You can show the column in Windows Explorer and see if it is useful...

Great Tor I never even thought about jailbait before I found Tor but then I got curious and looked at freedom hosting site and now I go to jail and get ass raped. Thanks for entrapment asshole.

curiosity killed the cat.

Also... rhetorically, why would child porn spike curiosity in you?

why would not naked hot teenagers spike curiosity in you? Tor promised me hot teenage action and all I got was raided by the feds!

Who couldn't be mesmerized by the undeniable lure of tender, smooth, taut, voluptuous youth?

Who could corrupt, exploit, bugger, sodomize, defile, desecrate, deflower, etc.?

hey looking at pictures does none of those things

It depends on their age you dirty bastard! you need a rope around your neck if it were young girls! I have no sympathy for sick fuckers who get ass raped in prison for seeking child porn, not everyone who uses TOR is into this shit

Have you not noticed that a lot of 13 year old girls look like hot 20 year old sluts? When will the pretending that they are not attractive end? When will it end putting people in prison just for looking at such hotties showing off? Let's get some sanity in this issue!

He doesn't find teenagers attractive so is probably a pedophile

"Have you not noticed that a lot of 13 year old girls look like hot 20 year old sluts? "

In that case, why not stick to the 20-year olds and avoid much drama?

Those are your thoughts in your own head and not what the actual child of 13 is thinking! idiot!
Girls that age throw tantrums, bitch a lot, cry a lot, they are mouthy and like boys around their own age. Do us all a favour and use your brain when you look at youngsters

maybe because only fools accept someone else's opinion about something they never saw for themselves? why do YOU hate child porn? because someone told you it's all evil and disgusting rape and torture of babies correct? WRONG. A photo of a teenage boy model in underwear can, and has been called child porn. a video recorded by a underage school student and shared by him over the net is called child porn. if you view it, the government will tell you you abused that kid. did you really? does watching dexter make you a brutal killer? does watching news of 9/11 make you a terrorist responsible for the deaths of thousands? does looking at the footage of the first and second world war make you in any way responsible for the actions in it? are you that blind and compliant to believe anything you are told that you yourself did not research? that's why people are curious and go see things, even if the things are 'awful' and illegal - or are they?

perhaps 1% of the people caught in this exploit actually did any harm to a child. the 99% will be persecuted nevertheless. because people do not understand what child porn really is and that not even 0.1% of it is rape or torture. most of it is teenage kids masturbating on webcam or vintage videos from 30 years ago. hardly a reason to destroy lives by branding all of them rapists and molesters.

Thing is that there is really a big line between CP and JB. There is a ton of sick CP of toddlers and babies being raped and very underage kids being generally exploited. I find such things disgusting, but I don't care what other people get off to, I care only that they do not molest kids themselves. On the other hand there is also a ton of JB and it is considered CP only by legal technicality. In reality it consists almost entirely of teenagers taking pictures of themselves naked and uploading to the internet. Some small percent of them are blackmailed into doing so, some larger percent of them shared pictures with a boyfriend who shared it with the internet, but none of them are really raped and absued and a lot of them willingly and knowingly uploaded their own pictures. The biggest problem with Tor is that sites that host JB mix it in with tons of very disturbing and disgusting other shit that very few people who care about JB even want to look at. There are tons of clearnet sites for JB and the feds totally ignore them, but the people looking at JB on Tor are all going to be fucked by this operation because the feds cannot tell them apart from the people looking at 6 month old getting brutally raped. Personally I don't really care if people look at picture of 6 month old getting brutally raped though, looking at pictures is very far from doing the things in the pictures, or else everyone who looks at holocaust picture is then guilty of war crimes. Anybody with any fucking logic in their mind at all knows this, but these emotional thinking idiots control the world.

Jailbait is very addictive. It is best to never look at it even one time. Once you see fresh young teenagers you never want to go back to looking at old generally very rough looking adults in legal pornography. I have many friends who use Tor for various reasons not related to CP at all, and many of them have claimed to become addicted to jailbait after first finding it on Tor.

Like good wine women improve with age - only women keep improving and wine peaks.

So you think that 90 year old females are more attractive than 14 year olds ?

Beauty depends on the specific woman, as it does at any age, and also involves who she is as a person. Since I'm much older I see a 14-year-old as a kid without any real life experience. As my wife ages I still find her very attractive. She isn't 90 yet but I think I'll feel the same then.

Men age like wine.
Women age like milk.

I have to agree with this. Not only are jailbait girls typically at the peak of their sexual attraction, but the feeling of doing something so illegal is very addictive as well. It reminds me of being young looking at porn for the first part of my life, trying to hide it from my parents. Something forbidden and secret but so attractive and good feeling. I think the forbidden aspect is half the fun with jailbait, but most surely it is not all of it because I do find actual child pornography to be very disgusting and would not look at it even though it is also forbidden. Peak sexual attraction, plus bringing the rush back to pornography....a very addictive combination.

you are both right, yet i (being young adult) don't think i will live enough to see this being acknowledged by the "masses" not even mentioning the lawmakers.
Internet "pedophiles" - no matter if they fap to toddlers being gang raped or pictures of topless 16 year olds - are way to convenient scapegoats for powers that be, who can gain political capital and sympathy points literally out of nothing by cracking down on internet CP, instead of helping children that are actually being abused (which would require much more effort and $$, but won't make any big headlines)

Also censorship. Whenever you want to impose some restrictions on internet-users, just do it "for the children" and accuse your opponents of supporting pedophilia. Works like a charm.

posting this over tor because FBI lol

Scapegoat is the right thing to called pedophiles/pedosexuals (I feel the latter is more true) in the real world. The whole anti-pedosexual thing started when homosexuals were beginning to be accepted by society, as the new 'boogie man' for society created by feminists/religious leaders who hate that learning that sex is a wonderful and pleasurable thing early is the biggest buster of their bunkus in the world.

"The love between men and boys is at the foundation of homosexuality. For the gay community to imply that boy-love is not homosexual love is ridiculous." - "No Place for Homo-Homophobia.", San Francisco Sentinel, March 26, 1992

"Shame on us if our lesbian/gay voices remain silent while our
NAMBLA brothers are persecuted once again, and shame on those
lesbians and gay men who will raise their voices to condemn NAMBLA,
insisting that boy lovers (and presumably the boys they love and who
love them) are not part of this thing called the lesbian/gay
- Steve Hanson, "Shame on Us.", Bay Area Reporter, January 23, 1992

"NAMBLA is by no means on the fringe of the "gay rights" movement. For years, it was a member in good standing of the International Lesbian and Gay Association (ILGA), and was only jettisoned by ILGA when the parent organization applied for United Nations consultative status in 1993. Years earlier, the ILGA itself had resolved that "Young people have the right to sexual and social self-determination and that age of consent laws often operate to oppress and not to protect." "

Note that the "love" being referred-to in the above quotes is little more than an Orwellian euphemism for the buggering and sodomizing of tender youth by adult males.

(This is particularly disturbing when one considers the distinct physical as well as psychological disadvantage that the *receptive* partner in anal penetration is placed at: The bulk of the considerable risk of deadly infection as well as injury, ALL of the pain, discomfort and inconvenience that are endemic to this act, etc. )

you are both right, yet i (being young adult) don't think i will live enough to see this being acknowledged by the "masses" not even mentioning the lawmakers.
Internet "pedophiles" - no matter if they fap to toddlers being gang raped or pictures of topless 16 year olds - are way to convenient scapegoats for powers that be, who can gain political capital and sympathy points literally out of nothing by cracking down on internet CP, instead of helping children that are actually being abused (which would require much more effort and $$, but won't make any big headlines)

Also censorship. Whenever you want to impose some restrictions on internet-users, just do it "for the children" and accuse your opponents of supporting pedophilia. Works like a charm.

posting this over tor because FBI lol

I as young adult find that young adults like jailbait and old ass adults think it is horrible. Hardly any of my IRL male friends have not made comments about being attracted to under 18 year old teenagers, many of my internet friends who know about Tor have said they have looked at jailbait on it. But for most old people they seem to think it is totally horrible. Total disconnection between age groups, the same as it is for drugs.

If you are innocently looking at girls your own age, why do you have to do it on the TOR browser??? makes no sense.
Most of us old ass people have children and idiots like you are a threat to them, when you grow up and have children of your own, only then will you understand.
Please stick to the normal web where you can happily watch naked 18yr olds and not young teens who are being exploited, used and abused for your own selfish needs.

"Internet "pedophiles" - no matter if they fap to toddlers being gang raped or pictures of topless 16 year olds - are way to convenient scapegoats for powers that be, who can gain political capital and sympathy points literally out of nothing by cracking down on internet CP, instead of helping children that are actually being abused (which would require much more effort and $$, but won't make any big headlines)"

You raise some valid points that are worthy, if not /requiring/, of consideration and discussion.

1.) Wouldn't you say that working to /prevent/ abuse from occurring in the first place is no less important than helping the victims of abuse?

2.) Wouldn't you say that an individual who derives /pleasure/ from images/descriptions/fantasies of the likes of "toddlers being gang raped" is considerably more likely to pose a threat to society than the average or typical random individual? (Considering that the vast, overwhelming majority of the population-at-large in just about any society finds such imagery nothing less than utterly repugnant, revolting, repulsive and deeply disturbing.)

3.) Accepting the premises outlined in #s 1 and 2 above, wouldn't you say that society has a legitimate interest-- if not /duty/-- in at least /flagging/ and /monitoring/ anyone who exhibits solid, convincing evidence of having an unhealthy interest in the type of imagery in question?

4.) This is not to say that the /MERE viewing/ or possessing of /images/--of /any sort/-- should, in and of itself, carry criminal penalties.

1.The problem is, is it really *scientifically* proven that watching CP facilitates child abuse, (comparable to what they call a "gateway drug", meaning first you watch pictures of 10 yo models in bikinis than you need stronger kick, you switch to harder and harder sex scenes, until just watching doesn't do it for you any longer and you go lure some real kids into your van). Or does it help people who might have those urges, relief them without acting upon them? Your first point seems to be built upon the first assumption, however if the 2nd is true, then what they are doing is not even wasting time/money, but using them to facilitate what they should be actually trying to prevent, since less CP = more people having sex with real kids. (btw. I'm talking about an absolute minority here that would actually act upon their sexual fantasies, I doubt they constitute a large percentage of people watching CP. Just like there are a lot of people into rape/rough sex, but only few of them would/do actually rape)

2. Well he might be. Same as with somebody who watches gore-videos or even Dexter. It's a very difficult question, that can't be properly addressed at our current lvl of technological development. Regardless of that what you are talking about here is thought crime. Just imagine US-government (or any government for that matter) being able to prosecute or even "flag" people for what they think. Imagine all sorts of power abuse that would then happen. And it would be even worse once they actually had the technology to read your thoughts. (and what the vast majority thinks shouldn't even matter, you know what vast majority of people thought/ and in many parts of the world still thinks about homosexuals.)

3. Only if it's proven beyond a doubt that those people would actually act upon their urges. Otherwise we are talking of pre-crime, minority report kind of situations, where innocent people potentially suffer consequences of actions they didn't do. And proving something like that beyond a doubt (i guess we are talking about preventive measures here, if somebody already raped a child and you have evidences, it's an easy game) is not feasible with our technology anyway. But even if it would be, we should really think about if it's worth the trade-offs (see 2nd point). Basically it's the same security vs freedom debate, but with stakes set very high. It was always possible (at least in theory) for people living in dictatorships to keep at least their thoughts free and overthrow the tyrants when the time was right. Open the powers that be the way into your thoughts and there will be no escape.

4. Agree.

1. It is scientifically proven that in all countries that legalize possession and viewing of child porn, there is a sharp drop in child molestation rates, in every single country ever studied

Results from the Czech Republic showed, as seen everywhere else studied (Canada, Croatia, Denmark, Germany, Finland, Hong Kong, Shanghai, Sweden, USA), that rape and other sex crimes have not increased following the legalization and wide availability of pornography. And most significantly, the incidence of child sex abuse has fallen considerably since 1989, when child pornography became readily accessible – a phenomenon also seen in Denmark and Japan. Their findings are published online today in Springer's journal Archives of Sexual Behavior.

Above commentator and some others here may wish to post there. No registration required, only valid email (try disposable).

Especially to respond to comments like this:
"The reason we punish those that possess and traffic is because they are now more than in the past the consumers that drive the creation of the child porn."

In agreement with you

A lot of people have failed to recognise that the pedo's are providing a service for the watchers, a child is being abused for their viewing and it will continue as long as they watch. I am cringing at the comments that looking at pictures isn't harmful?? are some of you really that dumb? of course its fucking harmful, its a child, abuse damages lives, its against their will and human rights. Too many Pedo's on here.

For the stupid person 2 above saying that the rates of rape and molestation have gone down ,you know why that is?? I can tell you, its online that's why and you watchers are keeping it alive.

[Citation Needed]
[Multiple Citations Needed]

this attack has nothing at all to do with CP or JB.

If not nothing, very little, I do believe that this is an example of the weakest exploit in their bag of tricks and they didn't much care that it was exposed as there will be new exploits aimed at de-anonyimizing TOR users.

I believe the feds are after the Darknet drug markets much more than CP. Feds foam at the mouth over Drug users and need to keep the Genocide against drug users going(it's not a war on drugs. only users and a war implies two sides fighting which is not the case) to keep the money flowing and prisons filled and CO's employed and on and on and on!!

It's about adults using drugs. :-(

Re-posting an apropos post.
Re: "drug sites":

-What about, for example, chemotherapy patients, many of whom are dying anyway?
Would you deny them the little respite and relief they claim that marijuana provides them?

Current drug policy in many places does just that, leaving such people-- in misery-- with no alternative but the very "black markets" that you refer-to.

- Alcohol is a DRUG that is at least as deadly and claims at least as many lives as any number of substances that don't enjoy the blessings of the law and social acceptance.

What about "taking down" some of the (legal, sanctioned, privileged) mega corporations that promote, glamorize and glorify this poison?

Re: "money laundering": Can whatever Tor may facilitate in this regard even hold a candle to the likes of the Wall Street banksters or even (or especially) the Federal Reserve, the World Bank, etc., et al?

Not that two wrongs make a right but perspective is needed.

And the prison-industrial complex; the ways in which a number of entities directly benefit from a drug policy that results in mass incarceration is an absolutely critical aspect that cannot be overlooked in any discussion of these matters.

Of course it doesn't, the pentagon are one of the biggest fan of CP.

Pentagon declined to investigate hundreds of purchases of child pornography

Why Was Pentagon Child Pornography Investigation Halted

Pentagon workers found to have downloaded child pornography
Dozens of staff and contractors with high-level security clearance put at risk of blackmail by their sex crimes

A typical post from a typical Tor user. "I do no wrong but I am so proficient in CP and JB[1] and know who exploits who etc" purely for educational purposes lol

[1] I can guess what CP is but JB? You are guys are really experts in this stuff. I am sorry you were hacked ;)

Yay free speech and all, but yeah, no kidding.

That said, I don't think this little sub-thread counts as typical Tor users. Or said another way, the larger and broader the Tor user base gets, the less relevant this little subset is.

So arma you think it should be illegal for people to look at some pictures?

JB is jailbait and means naked pictures of people about 13 and older

Stay on topic, please.

The very fact that something is taboo gives it a certain lure.

Stolen water is sweet. Forbidden fruit and all that.


Where did the Tor Project so much as even /encourage/ visting the type of sites that you CHOSE to visit?

Oh, I forgot, that's all besides the fact that you were running an OUTDATED, DEPRECATED version of TBB that had been replaced over a month ago!

Does running TBB from a Windows based VM protect the host machine MAC address? Only the randomly generated VM MAC could be revealed by this exploit?

Maybe? It seems like a step in the right direction.

So nobody has any idea if users of versions lower than 17 are affected, like version 10 for example, because nobody knows what was in content1_html. Why is that not mentioned in the article or in any articles for that matter? Why is this not investigated? There could have been another exploit, different from this one in that page, one that still works in the latest version.

javascript is the real issue. Yeah, it would be great if the exploit only works on v17 (for those using older versions), but if you had javascript disabled, probably doesn't matter which version one used. More data is needed.

See the list of Mozilla advisories, linked in the Tor advisory:

All the ones in red are bad news. And most of the ones in red came out after Firefox 10 was abandoned.

I think most are concerned with this specific exploit on non-TBB FF versions under v17.

Nobody cares about outdated software. Do you use Win95/98?
Be uptodate!

Not to be paranoid but how do we not know that old Tor versions are safe and the new versions are actually planted with back doors ?

Well, you know that older Tor versions aren't safe: we give you detailed release notes for all stable releases:

As for whether newer versions have backdoors, see for example
for some discussion of why it would be unwise for us to put backdoors in.

And if you want to be extra careful (besides reading all the source code of course), check out Mike's recent work on deterministic builds:

It's open source, Get the code. Read it for yourself and see what it's doing. Reproduce the build environment and build it on your own machine.

If you don't know how to do any of that, learn.

The biggest threat to anonymity and online safety is ignorance,

Have /you/ carefully checked through all of the code for all of the software that you use?

Are you even sure that, should there be anything suspicious in the code, that you would recognize it?

Browser versions less than 17 WERE exploited by this. It checks the version and if less than 17 redirects to content_1.html. Does anybody know the contents of that file?

Exactly, there is a lot of misinformation being spread on all official channels. Every expert review I've read so far specifically talks about version 17 being the only one targeted and affected. But that is clearly not the case if you read the code. Versions 0-16 inclusive are subjected to content_1 payload.

content_1, that nobody has seen so far, could have calls to content_4, 5, 6.. and do a lot more than just report the IP. I wonder why it was never obtained? And why is every news source trying to hide it's existence? Can it not be obtained the same way content_2 and 3 was?

Let us know as you learn more!

If my browser was safe but I had a separate instance of FF open elsewhere, can the malicious javascript bleed through and phone home to the FBI from there?

Can Javascript jump from one open browser to another or is that off the table?

- Just seeking clarification on all of the possibilities and I promise I'm only asking this once! -

In a correctly behaving browser, Javascript shouldn't be able to jump between browsers.

In a vulnerable browser, somebody could have written an exploit to take over your computer, and from there it could mess with any other running (or not yet running) applications.

Since malicious client side scripts have no direct access to the underlying filesystem or OS of the client, they can not be transmitted across browsers.

However, if you have malicious bookmarks or addons installed and voluntarily transfer them, perhaps in ignorance, then the other browser is also vulnerable.

And it depends if "malicious scripts installed" are at an OS level, or at a browser level. If something infects your OS, any application is vulnerable.

So, with a older version of TBB with javascript disabled and ex on linux, a user would not be affected by this?


(But you should upgrade anyway!)

"ex on linux"


Did the TBB notify on the start page of an update if you where running Firefox ESR 17.0.6 when 17.0.7 was released?

Yes. Or more specifically, it notified you once a new TBB was released, and that TBB included Firefox 17.0.7.

Any knowledge as to whether EMET would have prevented the exploit from running? Nobody has talked about this but the enhanced mitigation features are useful under Windows and should be common practice.

Good question. Does Firefox build with it?

Does App Armor come in here at all?

Is the TOR browser from June 23 safe?

Depends what version it is.

Would the exploit affect Unix-based operating systems or just windows?

For this exploit, just Windows.

But you should stay up-to-date on other platforms too.

i have to repeat the same message as a follower above:
on 30 july or 1st august i received this message as a sub-bar:

In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values

what does it mean i shoulb be worried? it seems i use 1.7.6 version but with javascript off. the rest of browser is on default mode. did that "crucial fix" something wrong? it is known for sure that only javascript ON affected people and nothing else?

Did that bar pop up when you visited a know infected site? Or was it randomly some other time?

People know it affected us through Javascript, because specifically it was a Javascript attack when visiting those sites. Events happened in the order of

1. Visit infected site
2. Malicious Javascript code awaits you, it attempts to launch!
3. Blocked/Detected/Affected

Not sure about the crucial fix playing out on this stage. Seems unrelated.

hey. i really cant remember when that subbar shows up, if i tried to access a site or suddenly doing other thing. certainly is this was in tor, not in mozilla because i use chrome for clearnet. i had c/p that message on google and i can only find it on twitter on a enginner computer guy. it amaze me that this nobody else noticed than fellow above. it has appeared absolutely the same it was rerwritten by me now. does tor ever sent subbars like that?
thing is i did nothing on that because i didnt even know what was happening at that moment, nobody knows. 30 or 1 aug. very strage.

all i want to know if this was sent from TOR or because of this exploit. and if is because of malware, i should be calm using 17.6 at that moment with javascript off and a pretty old TBB(2-3 months)? i am very "lucky" day by day.. it seems legit why almost only me received that....

No, I saw the same message a couple of days ago and I was prodding around FH to see what was going on but noscript was always on. Thing is, I updated my TBB today to 17.0.7 and the message reappeared after the second launch of TBB. It says "to implement a crucial fix https has reset to default rules" or similar. This is 64bit linux.

A few days ago I also had this bar showing up. IIRC it was displayed as soon as the browser started and visited the page. I also made screenshots of this event.

Quoting the poster before me: all i want to know if this was sent from TOR or because of this exploit. and if is because of malware....

That is what I wish to know too. Was the message "In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values" sent by Tor?

I was using the latest version of TBB at the time when I received the above "crucial fix" message but with JavaScript enabled.

What I did next was to delete the TBB, re-downloaded the TBB from Tor's official website and re-launched the Tor browser.

I also ran a complete scan of my PC using the latest anti-virus software.

For Tor developers and people who are interested in investigating further whether the website has been infected with the JavaScript exploit, please surf to

That is the website that forced my Tor browser to reset HTTPS Everywhere set of rules.

I am the first person who posted the "HTTPS Everywhere" crucial fix message.

In answer to your questions:

1. Did that bar pop up when you visited a know infected site? Or was it randomly some other time? I am unable to answer this question as there is no way for me to tell whether the site that gave me the "crucial fix" error has been infected or not.

2. At the time I received the "crucial fix" message, I was already using the latest version of TBB but with JavaScript enabled.

im paranoic i please OP to respond. was this message from tor browser or tricky scheme of infected sites i visited?
eearly this year i made $16 each donations on every service i love which is ad block, umusic and tor. i didnt expected this coming!!! please respond to my inquierii

I read that the sub-bar was one of the indicators that the exploit had been run on your browser. Sorry, you might want to nuke your hard drives :(

Where exactly did you read that? Could you provide the links?

Sounds like nonsense.

Why not make an official post reassuring people about the HTTPS-Everywhere pop-up in question. Many people, myself included, were/are obviously concerned. Wasn't that only reasonable and to be expected?

I'm using HTTPS everywhere on two another browsers (one on Windows and one on Fedora) which are not being used for tor browsing at all, and received the same message on both recently. Probably it was part of the last update of the extension.

I got that popup after getting the newest TOR bundle today. I disabled JS and all the other things and did not visit the infected sites on this new bundle. It's most likely unrelated.

me too.. installed the new bundle, disabled javascript, visited only hidden wiki and this blog. after system restart and opening tor i see the same message on my firefox.

I also saw this message pop up. A little research reveals.

The latest tbb comes with HTTPS-Everywhere 3.2.2.
tbb has "update Add-ons automatically" selected by default so it gets updated to the latest version.

Latest version of HTTPS-Everywhere shows changes to code
In response to this ticket

It looks like this is normal behavior.


I got this message too! Am not sure i was visiting an FH site atm.

Was the update official or it was an attack? I even clicked it. I use FF 17.0.7 ESR on Win7 64bit.

As a translator of HTTPS Everywhere, I have seen and translated that very string, so it is an official part of the HTTPS Everywhere extension. It is not related to any exploit. It is not put there by any website one visited.

Sorry if this has been asked already, but I only downloaded the Tor Browser Bundle a few days ago, so I presume I had the latest browser version, 17.07. I just checked, and Javascript was enabled.
For non-Tor browsing, I use Firefox 22.0. Am I safe from this exploit?

We think so.

So my Kaspersky marked malware in this file "C:\Documents and Settings\-name-\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22" and even labeled it "exploit, is this the same exploit?

Java? Sounds unrelated.

Would running Tails with Iceweasel 17.0.7 in VM within windows be safe from the attack as well?

I would say that is VERY safe

Yes. Even safer than on normal Windows.

Anon: "Would running Tails with Iceweasel 17.0.7 in VM within windows be safe from the attack as well?"

arma: "Yes. Even safer than on normal Windows."

Huh? Run Tails on Windows? How is that even possible /other/ than within a VM?

For me it sounds like "safer than use TBB on Windows".


Not that I'm saying it's wrong, but I'd like more details than "somebody knows somebody else who has some database that said this netblock was once the NSA's". shows the exploiter's server IP ( belongs to the government contractor SAIC. They do work with NSA but also many other government agencies (source: I used to work for them!). The link in that article to the page ( doesn't seem to include that IP. So I can't see how they know it's been "assigned" to NSA. But that it's linked to SAIC means it likely is some kind of U.S. government project.

When did the attack take place? i.e. When did they start using the java exploit?

"java exploit"

JavaSCRIPT not Java!

Can Torproject please fix the page that incorrectly informs users of 10.0.12 they are up to date? People who rely on that version check won't know to update.

Might this be a bug in whatever ANCIENT, LONG-DEPRECATED version of TBB has Firefox 10.0.12 ?

I last used Tor in early May, never did anything illegal but I probably visited a FH site if the whole 50% of the sites are hosted by FH is true. Have you got any ideas/guesses on a time frame for the attack?

Time frame was "a few days ago".

Also, the notion that half the hidden services were hosted by FH is likely bunk. Of course, they're hidden so it's hard to produce a concrete number.

Of all the sites hosted by Freedom Hosting, how many were/are dedicated to scabrous material involving underage subjects?


In this case, I'd say it's more likely poppycock.

This TOR exploit thingy. It supposedly gets your ip but what if you're on a home network behind a router? Will it grab the ip of your computer on that network, like 192.168.x.x?

It grabs your hostname (e.g. "John's PC"), your MAC address (the local hardware address), and then it sends those plus a unique number to the remote website. It's that last step where the attacker can learn your public IP address -- and where a firewall sure would be helpful, to block outgoing non-Tor connections (like how Tails does it).

The firewall wouldn't help with this exploit, because the malicious assembly code executes within the TorBrowser process space (the firewall would think it's the tor browser and let it through).

There is no reason to let the Tor Browser process (or indeed, any process run by that user) speak to the Internet.

Is it another process (vidalia?) that actually makes the internet connection? If so, yes a firewall blocking tor browser outbound would be a really good idea. I was assuming Tor Browser itself makes the connection.

No, it's a program called Tor. You might have heard of it. :)

So to prevent future exploits of this type, could torproject maybe show downloaders how to set the Windows firewall properly to block all outgoing connections (it allows all by default) except allow tor.exe and the user's other trusted programs? And mention if a window ever pops up to allow tbb-firefox.exe to connect outbound (i.e. some exploit is running) to always deny it? Users who understand that would pretty much be safe from any future exploits like this, I'd think.

Maybe? We're all bad with Windows, so it would be great if somebody would volunteer to work on this.

(The other answer is to run Tails in a VM on Windows, if you really need to be running Windows in the first place.)

Wait, how does it get your ip from the hostname, MAC and the unique number?

"and then it sends those [...] to the remote website. It's that last step where the attacker can learn your public IP address"

It sends them outside of TOR?

Yes. (Read the advisory.)

Once again sorry for being redundant, but I thought I would ask a broader question hoping that it would answer a lot of questions.

If someone had Windows 7, Tor Browser Bundle with Firefox 17.0.7 ESR, but NO SCRIPT set to "Allow ALL globally", would my Mac address and Ip address have been revealed by this "iFrame picture" exploit?

Also is the Mac address that is revealed, my MOTHERBOARD'S network jack address OR my internet service provider (ISP)'s Router modem?


No, the exploit was fixed in 17.0.7. (And for those with earlier versions who were exploited, the MAC address would be your computer network adapter's).

17.0.7 means this exploit won't work, full stop.

As for which mac address, if I'm reading the exploit right, it is your first local address -- so if your Internet connection is through an ethernet connection on your motherboard, it's probably that.

One question .. I have the ESR version 17.0.7 I installed on June 26, but I dont have the alpha version 3, I have tor, and I visited pages of Freedom Host (With Javascript, Disabled Globally). yesterday i visited Tormail, and I saw the message "Sorry Close for maintenece" (with javascript Disabled globally) that means the exploit worked? or I am at risk? please Help - thanks in advance

You are totally safe. Cant you read the information above???

People these days are really fascinating, they seem to work like this: Don't want to invest (time for reading) anything but want to get (a prompt personal answer on a silver dish) everything - I CAN HAS PLZ???

The vulnerability was fixed in firefox 17.0.7 esr and you had javascript off anyway. So you are not at risk.

arma, thanks for all your updates and comments, even if it's "we don't know." Frequent communication is always good!

So if one had turned off javascript on ones pre v 17 browser, that would have stopped the exploit from executing?

Do we know 17.0.7 actually blocks this? Has somebody tested it against this particular exploit? I know as a programmer myself we like to indicate a bug is "fixed" but it really needs to be tested by others.

Yes -- see Dan's blog post:

why people keep saying Firefox ESR 17.0.7. is not effected

Firefox ESR 17.0.7 [3] is not effected notice the 3

The [3] is a note number used on the Tor security advisory page.

Any law experts around? Assuming this illegal exploit worked, what could they do with the IP list? Is a couple random visits to FH sites (like, exploring hidden wiki links) enough to warrant raids? Just wondering what exactly was the purpose of this illegal exploit, because clearly not all affected are guilty, even if they did visit some of the illegal sites once or twice by mistake or due to curiosity. A raid on them would destroy their lives nevertheless.

Can this list be used against international citizens? Would international agencies accept tips obtained this way? How can the list of addresses be used as evidence, if external, malicious executable code ran on the target PC's, one could easily argue that a version of this code could entrap people by opening illegal sites in the TOR browser. The code did change multiple times, did it not? And parts of it are not yet obtained.

Isn't the entire premise of this attack - pointless? Apart from branding all TOR users as molesters in the news due to sensationalist titles of course, so that people stop using it and the NSA/CIA/FBI has an easier task to play the Big Brother on everyone.

Syndicate content Syndicate content