Tor security advisory: Old Tor Browser Bundles vulnerable
An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.
This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:
- 2.3.25-10 (released June 26 2013)
- 2.4.15-alpha-1 (released June 26 2013)
- 2.4.15-beta-1 (released July 8 2013)
- 3.0alpha2 (released June 30 2013)
Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.
Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…
If majority of users have
If majority of users have javascript on, and you have it off, you are suspicious.
It's far better to feed observers a made-up timzone, size, color depth, and system fonts.
I vaguely suspect there's a plugin for that.
LOL like that matters, you
LOL like that matters, you are already "suspicious" if you come from a tor ip.
Im using version 17.0.7
Im using version 17.0.7 without Javascript, am i ok??
Yes
Yes
Fucking ZOGProject! I hope
Fucking ZOGProject!
I hope you die!
To WHOM is your comment
To WHOM is your comment directed?
So what is the safest way to
So what is the safest way to run the TBB with java and JavaScript turned off?
I use tor + privoxy and
I use tor + privoxy and Firefox 22 as a browser, (and i don't use windows od course) am i safe? if not, what should id o? i am a journalist, sorry if my question is a stupid one
You're probably not as safe
You're probably not as safe as you should be. See
https://www.torproject.org/projects/torbrowser/design/
for all the things that Tor Browser gives you. You have roughly none of them with that set-up.
Privoxy? really? of course
Privoxy? really? of course you're not safe. You probably won't have to be worried about this exploit but you understand privoxy can only provide HTTP proxy. right?
There's a reason Tor has dumped it ages ago.
"Journalist". You spelling
"Journalist". You spelling and grammar tell a different story.
No need to assume he's an
No need to assume he's an English journalist. There are many international ones.
I'd say the question alone
I'd say the question alone suggests that you should not be attempting to use Tor outside of TBB or Tails.
Noscript should be enabled
Noscript should be enabled by default or javascript should be disabled by default in tor browser bundle.
it used to be :(
it used to be :(
Yeah? When? Everybody seems
Yeah? When? Everybody seems to think this is true but nobody can point to a version of TBB where it's true.
I would also say I thought
I would also say I thought the same thing but I realized something so now I am not so sure that this was true with the TBB, but it was true with Vidalia Bundle (which for some insane reason you no longer maintain and i have to add Polio in myself). I think that is the confusion.
I think the following should be done
1. The default home page already does detect if you are actually using TOR and if better versions are available. You could at least add a JavaScript add to detect and inform people that it is enabled. It can be easy to forget right after an update (yet could cost them dearly).
2. If they prefer it disabled then a simple how to could help (yes I know it takes about 2 clicks but many users are tech impaired).
3. Do include something like pre-configured Polipo (or Privoxy which was used formerly).
4. Having NoScript disabled by default does make a certain sense in that is more usable by the tech impaired, yet there is a disconnect here when you consider the current method of PGP checking (not that I recall noticing much good instruction on your site to begin with).
Sure it is easy enough for the technically inclined like myself, but what is the point of the average user getting into TOR while being so vulnerable to a compromised client?
Consider this when the stakes are higher - a whistle-blower/informer/activist. Not all these people will understand how to know the difference and good luck to the non-English speaking activists trying to figure out how to use PGP.
I am working on this myself - mentally at this point. I may slap something good together that will help the less tech adept. It would be better though (more trustworthy) if you guys handed this. It would not really be that hard.
Another thing you might consider is an installer which ASKS people if they prefer things more secure or more compatible with websites. Depending on the question, pre-configure TBB as they have chosen.
As for "it would not be that
As for "it would not be that hard" for the PGP thing, consider that our current instructions for WIndows users start with "download gnupg.exe from this http website". Windows users are screwed at a very deep level. If you have good answers, the world wants to know them.
As for a configuration option for Javascript, keep an eye on
https://trac.torproject.org/projects/tor/ticket/9387
Oh, and you don't want Polipo -- the next code security vulnerability would exploit it.
Waaait a minute. You
Waaait a minute. You acknowledge that TBB never shipped with Javascript disabled, but then you say that the old Vidalia bundle did? The Vidalia bundle never included a browser! And the old Torbutton Firefox extension never shipped with Javascript disabled by default.
I think a lot of the confusion stems from people very long ago being confused between Java and Javascript. Also, very long ago (before Torbutton), there were open questions about what privacy-invasive things Javascript could (using the legitimate API, I mean) do to you. Torbutton addressed many of them. But we're talking 6+ years ago now.
https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/CHANGELOG
for those playing along at home.
1 and 2, at least, sound
1 and 2, at least, sound like good ideas.
im sorry for repeating
im sorry for repeating hearsay without first verifying :(
"Noscript should be enabled
"Noscript should be enabled by default"
NoScript is is enabled by default in both Tor Browser Bundle as well as Tails but set to allow scripts globally. Even in this configuration, NoScript still provides certain protections, such as blocking cross-site scripting (XSS) attacks[1].
Obviously, allowing scripts globally cannot provide (anywhere near) the same level of protection as the selective whitelisting model that is the normal default behavior of NoScript. So why do both Tails as well as TBB ship with this less-secure configuration of NoScript? This question has been asked and answered many times (both of/by Tails as well as Tor).
The primary reason that has been given is usability; the functionality of many-- if not most web sites-- is heavily dependent upon JavaScript, often critically so.
An additional reason that has been given (both by Tor as well as Tails officials) concerns "fingerprintability".
Here is the relevant part from the Tor Project FAQ:
(all emphasis mine)
"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).
Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."
( https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled )
NOTES: [1] See, for example:
http://www.h-online.com/security/news/item/PayPal-vulnerable-to-cross-s…
I believe-- but am not certain-- that NoScript would protect against this threat-- even in the default Tails and TBB configuration where scripts are allowed globally.
BWAHAHAHA enabling
BWAHAHAHA enabling javascript is safer? Crack pipe please!
Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log
How the fuck is that safer? That's before we even talk about all the javascript exploits.
If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.
Stop lying.
So if one had FF 17.0 to
So if one had FF 17.0 to 17.06, AND had javascript enabled, they are probably compromised.
If javascript was disabled, probably GTG?
Against this particular
Against this particular exploit, yes.
If you're running off
If you're running off Firefox 10 (i.e. not the latest), there's no warnings on the check.torproject page (it says the usual congratulations), and if you check for updates through Options->Help, it says it's up to date! Please fix this because people who rely on this to find out if it's current won't know about this vulnerability.
Which bundle do you have
Which bundle do you have exactly?
And unfortunately, 'check for updates' means 'go ask Firefox if there are updates', which we've disabled in TBB since that's not where your updates come from.
As a general comment, all of
As a general comment, all of this stuff has been going on for quite some time and it is my general reflection that the nature of the problem has to do with either Tor not having enough volunteers working on the problems / code updates / fixes, or not enough money / donations to do this. Not sure if I am right about this, but over the past few months, I have been closely watching the following conversations -- all quite public in blog.torproject.org posts, with substantial discussions accompanying each post:
1) April 22, 2013: 'Hidden Services Need Some Love'
https://blog.torproject.org/blog/hidden-services-need-some-love
(Notice the discussion of donations in the comments section, after the extensive post on keys / key length, attacks, hidden services, etc - did this ever materialize? Maybe there is a need for a public funding campaign, perhaps, to address certain ongoing security issues discussed in that post?)
2) June 8, 2013: 'Prism vs. Tor'
https://blog.torproject.org/blog/prism-vs-tor
(See discussion of keys, donations, etc, in comments...)
3) August 4, 2013: 'Hidden Services, Current Events, and Freedom Hosting'
https://blog.torproject.org/blog/hidden-services-current-events-and-fre…
(Kind of odd that part of the title was 'Current events' since a variety of these issues which led to this have been discussed and discussed and discussed for some time - but again, worth reading, and check out all the comments)
Supposedly Tor is looking for a lead software engineer and would like to hire more people. https://www.torproject.org/about/jobs.html.en
I am just guessing, but it seems to me that people would be willing to support crowdfunding positions for Tor bugfixing and development (such as through an indiegogo or crowdrise campaign) -- especially if there was a promise by Tor to divest itself of (that is, get rid of) any connection to DoD funding or staff now and in the future. People are asking questions about Tor's past and present funding. People ask questions about Dingledine. https://blog.torproject.org/blog/trip-report-october-fbi-conference It is in people's nature to ask these kind of questions and to be skeptical. I think one way to address this meaningfully is for the Tor project to lean more on crowdfunding mechanisms to and more frequent appeals to the user base through social fora to participate in financing efforts to support and fix Tor.
In closing, I think it's good that Tor is working with Mozilla in an effort that could bundle Tor into Firefox, and is working towards a day when Tor could be incorporated into Chrome (( post on that here https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChrome… )) but it is obvious that all of this needs funding and support which implies a need for crowdfunding more positions (periodic / more frequent indiegogo campaigns, etc.) to address all of these security issues - or so it would seem.
Funding campaigns are needed.
Your post seems to
Your post seems to completely overlook the fact that only those who were running OUTDATED, DEPRECATED versions of TBB were subject to this exploit.
Other than that, you raise some good points, particularly about funding sources.
Observing your other posts
Observing your other posts here (no I am not an admin, but I can read and see patterns), you seem to repeat the phrase "OUTDATED, DEPRECATED" in your post(s). Perhaps you think everyone is using OUTDATED, DEPRECATED versions of TBB in Windows and that is your issue? Or perhaps you did not read the context of my post above, which had nothing to do with whether or not someone is updating something and everything to do with the issues of torbugs of all kinds (and the problem of how to fund the fixing of them over time whenever they occur, whatever they are).
Also, I suggest reading this -- just for fun (relevant to both java and javascript issues, which I think will be a long running discussion and are in no way settled):
--> https://www.cyberguerrilla.org/blog/?p=15358
*** Notes:
What is Java? https://www.java.com/en/download/faq/whatis_java.xml
How is Javascript different than Java? https://www.java.com/en/download/faq/java_javascript.xml
Is Javascript Enabled In My Browser?
http://www.whatismybrowser.com/is-javascript-enabled
What is NoScript? http://noscript.net/ <-- Read this, if nothing else here.
Enjoy
Does this affect users of
Does this affect users of Chrome whom have the Bundle installed?
Wait, what? If you mean "I
Wait, what?
If you mean "I use Chrome for my non Tor browsing, and I use the Tor Browser Bundle for my Tor browsing", you should be fine. TBB is designed to be standalone and not care what else is on your system.
If you mean "I hacked up some Chrome thing and hooked it up to Tor, am I safe?" then you likely have other problems:
https://www.torproject.org/docs/faq#TBBOtherBrowser
"TBB is designed to be
"TBB is designed to be standalone and not care what else is on your system."
But a compromised system absolutely /can/ and is /likely/ to compromise/defeat TBB.
Sure. But it's NOT Tor/TBB
Sure. But it's NOT Tor/TBB fault.
I have the latest TBB. Since
I have the latest TBB. Since Friday (8/2/13) Tormail (RoundCube) is not reachable. Any idea what is going on?
Freedom Hosting, the company
Freedom Hosting, the company who served Tormail, is down. It's all over the news.
I have a 2.3.25-10_en
I have a 2.3.25-10_en version but it was downloaded and installed 6/21/13 per my computer - is this the same version with the bugfix that was said to have been released on 6/25/13 here?
The bundle went live on the
The bundle went live on the webserver on June 24:
https://www.torproject.org/dist/torbrowser/
Perhaps you got an earlier version that was distributed for QA / testing? Or perhaps your computer's date is/was wrong? Or perhaps you don't have a real Tor bundle at all?
I am a spaz. It was
I am a spaz. It was actually installed on 7/21/13 - I misread the file info. Thank you for your prompt reply and kind assistance
"It was actually installed
"It was actually installed on 7/21/13 - I misread the file info."
Thank you for following-up.
Since Friday (8/2/13) can't
Since Friday (8/2/13) can't reach Tormail (roundcube). There was a message up about server maintenance, but that is gone. Any idea what's going on?
don't worry, FBI will
don't worry, FBI will contact you later
I read that the exploit only
I read that the exploit only effected versions 17 and 18 of FF - I am running 19.0.2.
Is this a browser that would be effected by the exploit?
According to Dan Veditz's
According to Dan Veditz's post, "The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7."
So your FF 19 has the vulnerability, but this particular attack code would not target it.
It seems that the US police
It seems that the US police state has learned the ip addresses of people all over the world who committed the non-crime of visiting a bunch of websites.
From a technical point of view that's a big failure for the Tor project. They are responsible for the browser they bundle, aren't they?
Now, what's the legal side of things? The US police state has hacked into computers of people living all over the world. What is the US state planning to do with the information they stole?
Please somebody from the EFF chime in.Thank you.
We do try to keep up with
We do try to keep up with browser updates for TBB, yes. You'll notice that we put out an update in June, and this was exploited in August. People who updated were fine.
As for the legal side of things, I don't think anybody has details on whether it was really the US police state? Not that I'm claiming it wasn't, but it's hard for anybody to proceed without details.
Would EMET with Heapspray
Would EMET with Heapspray protection enabled on a vulnerable version have mitigated this attack?
If our TOR version was from
If our TOR version was from early June late July, would we still be affected?
Find the version you were
Find the version you were using if you can, maybe its still hanging around somewhere - the compressed installer. Find those numbers attached to it and line them up with the content of this blog.
Early June probably yes,
Early June probably yes, late July probably no.