Firefox security bug (proxy-bypass) in current TBBs

A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

  1. Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
  2. Type “websocket” (again, without the quotes) into the search bar that appears below "about:config".
  3. Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.

See Tor bug 5741 for more details. We are currently working on new bundles with a better fix.

Anonymous

May 02, 2012

Permalink

Oh dear :(

Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?

If yes, I may be in trouble.

@anon, AFAIK Twitter does not use web sockets, so even if you enabled Javascript on Twitter it should not be an issue. I could be wrong or there could be other issues.

No, you shouldn't be in trouble.

All that was/is leaked is your computer name-resolving twitter.com.
There is no information contained which account you accessed.

As I see it, this "bug" is only of real concern for people in countries where access to certain domains is illegal/suspicious in itself.
So, this report should be translated to Farsi and the like ASAP.

That is incorrect. A malicious site or tor exit node could have your browser resolve a uniquely-identifying subdomain. For example, if your twitter handle is "bradleymanning", twitter could have you query "bradleymanning.attack.twitter.com". Twitter's DNS server would then receive that query coming from your ISP's DNS server or worse, from your IP. At best, it would only learn what ISP you are using, which is bad.

Can you name me one country "where access to certain domains" is NOT "illegal/suspicious in itself." ?

Granted, it is a matter of degree and everything is relative, but still, your statement is rather incredible.

Anonymous

May 02, 2012

Permalink

As long as you weren't doing anything illegal in the United States you should be fine. Tor has never been about hiding illegal activity. And since Twitter is in the US and doesn't respond to foreign court orders… well…

Ah right, maybe Anonymous "Oh dear" is a fucking communist, or even a dirty whistle blower like Maning! Brave, law abide citizens haven't got anything, that must be hidden, so maybe you want to forbid TOR, Mr. McCarthy?

He/she was making a point about jurisdiction. Twitter doesn't have to abide by court orders from foreign countries. What is the matter with you?

Or maybe you just like having the government know absolutly everything you're doing whenever they like and hate the right to privacy? Fascist.

Anonymous

May 02, 2012

Permalink

Everything I do in the US is illegal, FINE. Every word I use, every truth I tell, it is all illegal and my keyboard is typing out the words MAGIC LANTERN...So what are you going to do for me? Under 18! Or do I start praying 4 encryption in photos that isn't a cow jumping over the moon?

For those following along and want to know the details of the Firefox bug, see https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/curren…

Quoting the explanation in the patch:
>This is due to an improper implementation of the WebSocket spec by Mozilla.
>
>"There MUST be no more than one connection in a CONNECTING state. If multiple
>connections to the same IP address are attempted simultaneously, the client
>MUST serialize them so that there is no more than one connection at a time
>running through the following steps.
>
>If the client cannot determine the IP address of the remote host (for
>example, because all communication is being done through a proxy server that
>performs DNS queries itself), then the client MUST assume for the purposes of
>this step that each host name refers to a distinct remote host,"
>
>https://tools.ietf.org/html/rfc6455#page-15
>
>They implmented the first paragraph, but not the second...

Anonymous

May 02, 2012

Permalink

It's not revealing your IP address to the destination server. It only reveals the fact that you are trying to communicate to a certain HOST (such as twitter.com) to the name server you use. None of the data you exchange with the host is revealed.

Anonymous

May 02, 2012

Permalink

Wow. I guess at least someone caught this sooner rather than later

Anonymous

May 03, 2012

Permalink

Would be nice if Tor could be used with Opera, which IMO is the best browser around.

Tor CAN be used with Opera. If you use the easy Firefox bundles, you just have to copy the proxy settings from FF/Aurora into Opera instead... and then take all the usual precautions to make sure no scripts or plugins cause your browser to leak data.

There was "OperaTor", which was like a TBB but with Opera instead of Firefox. But it came with a launcher that wasn't open source and that obviously raised many people's suspicions.

Tor does work with any browser that can connect to it via socks, either directly or with a socks proxy. Making another browser work isn't the problem. The problems are:
Making certain that all of the traffic (including DNS) also goes thru Tor only.
Making sure that your browser, extensions, plugins, integrated apps, etc are not leaking identifiable or trackable data.

It can be done. I've used Tor with SeaMonkey for a long time, but there's much more to do than just connecting the apps together. Flash, java, and javascript can all reveal what you want private. You need control over all the traffic, aka specific firewall rules with tight control over loopback traffic.
Rick

Anonymous

May 03, 2012

Permalink

So what if anyone wants to know what am doing I don't care. Not doing anything I shouldn't be so it doesn't matter! You lot who care are either doing something illegal or breaking some rules somewhere. Skitzy or what!!!!

BTW I'm sitting on Facebook, Twitter, YouPorn and having some breakfast with a cuppa and a kitkat, problem???

So then I take it you would have no problem if the government decided to set-up surveillance cameras in your bedroom and bathroom.

After all, if you're not doing anything you shouldn't be, what should be the concern, right?

No, it was simply taking the poster's argument to its logical conclusion.

He argued that privacy is only of concern to people doing wrong.

(Never mind the subjectivity in defining what is "wrong"...)

BTW, why are you even following this blog?

According to what you wrote, you should have no need or interest in something like Tor.

so u WANT places like those and like google selling info about u to ppl u dont know for profit? sure targetted ads CAN be convenient, but are mostly irrelevant and annoying to me. and what if some hacker sets up a 'legit' advertising company just to harvest the free info u are giving out? what might THEY do b4 google etc find out and cut the fake company out of the loop?

Anonymous

May 03, 2012

Permalink

Should I do it on my Obfsproxy version? And Could I change some components for this version, For example could I change the firefox in to the upgrade one? Hope you can tell me Thank you!

Anonymous

May 03, 2012

Permalink

Fork latest Firefox 3 which does not know web sockets.
Then go along with the Mozilla patches as far as they apply.

In the long term this could be a Tor browser which requires less work
and comes without unwanted surprises.

And a Tor browser that doesn't work with sites that require web sockets, or any other new more recently standardized feature. A browser that only works on some sites isn't that useful to most people.

We have this scenario already.
Many sites do not work without JavaScript, some sites do not work without Flash.
And from the postings here and on the mailing lists we know a lot of Tor users
have disabled Javascript and even more do not use Flash.

I think many Tor users are putting security before convenience
and humoring the quirks of some webmasters.
As a result there are already a lot of sites that do not work for Tor users.
And for me these are those I can easily do without.

Anonymous

May 03, 2012

Permalink

To prevent DNS leaks from any application you can enable Tor's own DNS server:

DNSPort 53

Then change your network DNS settings to always use that instead:

127.0.0.1

Furthermore you should block outgoing DNS request (port 53) with your firewall, since some applications will ignore your own DNS settings.

I'm sure there's a guide for it somewhere, otherwise it's in the documentations.

Anonymous

May 03, 2012

Permalink

Hi I have 3 questions.

1) Is this bug also present in version 2.2.35-8 or former versions ? Or is it only present in 2.2.35-9?

2) Is this bug irrelevant if JavaScript is Disabled in Firefox?

3) Can someone, like for example arma, please explain what this bug means in really simple layman terms? What has been exposed? What is at risk? Has IP address of users been exposed? or can websites only hypothetically link visit of Tor users to their real IP address, through timing/statistics? Is there any way websites like Google,Twitter,Ebay... got hold of the real identity of Tor users, because of this bug?

To answer question #3

If the DNS server you're using is keeping logs, then those logs will show at what time your computer/IP-address tried to resolve/access a domain name.

In the following examples the bold parts are what the logs would show:

http://google.com/?search=something
http://twitter.com/some_person/some_status
http://blog.torproject.org/some_post

As you can see the logs shows which domain/site you visit, but NOT which page, or protocol, or port.

They also can't see the traffic between the site and your computer, because that goes through Tor, even with this bug present.

2)
As far as I know, web sockets require JavaScript, so if JavaScript is disabled this bug will not affect you.

3)
Your ISP will possibly know you have visited certain sites using Tor, but not more than that you have visited the sites.

It may be possible to link a Tor user to your IP address through timing analysis because of this. This requires that your ISP cooperates to do so, and because this only happens for sites with web sockets, there is limited amount of information, so will be hard.

But now when this bug is known to the public, it may be exploited to make it much easier to track users, so from this point you want to protect yourself.

Anonymous

May 03, 2012

Permalink

please please pleassee open a forum. so many unanswered questions in the comment sections of the blog posts. In a forum users could search for similar questions and see related answers.

Please do it soon arma,mikeperry,ioerror, we need a forum!!

Amen to that!

I just cannot understand the logic in offering individual email and even *telephone* support* but not a forum.

By individual email and telephone, you are undoubtedly answering many of the same questions repeatedly, many times over. How can this be an efficient use of limited time and resources?

"In a forum users could search for similar questions and see related answers."

Yes, exactly.

As I wrote in a previous post to the Tor Blog:

I appreciate your offering support by email and telephone. I am rather surprised and perplexed, however, that you would offer such direct, one-to-one support while apparently not offering a public support forum. I cannot imagine how this can be cost-effective for you. Surely, you must receive many repeat questions. If people were directed to a forum and at least strongly encouraged-- if not actually _required_-- to search for answers to their questions before making a new post, it would no doubt save you much unnecessary time and effort. Additionally, in a forum, contributing members of the public would invariably at least sometimes answer questions accurately, and then you could simply post to corroborate and verify their answers.

Surely, you must have considered these points by now.

If personal email and telephone support are still going to be offered, then whererever the telephone number and email address is listed, there should appear alongside them a notice urging people to first search the forum and preferably, if at all possible, Google as well, for an answer before emailing or calling. (And explain the reality of limited, overstretched resources, non-profit, volunteer nature, etc.,)

*What other completely free product offers completely free telephone support? Unheard of, as far as I'm aware.

Well, then...

First of all, I would ask: instead of ignoring at least 90% of the legitimate questions that get posted here, why don't the people who run this blog direct people to those channels?

Second, the points made above regarding efficiency and cost-effectiveness hold true for IRC as well. Only a relative few number of people can be helped at any given time, and unlike a forum, others can't benefit from the time and effort that was spent. The answers basically vanish into the ether after a very short time.

Thirdly, a forum is far more universally, easily and anonymously accesible than any type of mailing list. All one needs to access a forum is access to the web. A mailing list requires a legitimate email address to subscribe and then repeated, regular access to the email account that was used. This can pose a number of challenges and hurdles with respect to anonymity as well as security.

I agree. I think it's utterly disrespectful to all Tor users not having a forum. A forum is the most fundamental level of support of any good software.