1. "using JavaScript, you can identify the scrollbar width [...] so an attacker can identify the underlying operating system"
Using JavaScript, you can simply ask Tor Browser what platform it's on using navigator.userAgent, and it will tell you the truth because lying breaks e.g. websites' custom key combinations. Tor Browser will however attempt to anonymize the platform in passive indicators, i.e. HTTP User-Agent: https://blog.torproject.org/new-release-tor-browser-801 (search for "User Agent")
"Checking every network connection against every possible Tor node takes time. This is fine if you have a slow network or low traffic volume, but it doesn't scale well for high-volume networks."
If you can muck around in TLS cert fields in real time, you can look up an IP address in a hash table...
"Second, the list of nodes changes often. This creates a race condition, where there may be a new Tor node that is seen by Tor users but isn't in your block list yet."
Oh no! (clutches pearls)
Not to say that it isn't worthwhile to tidy up the TLS fields some more, but hyping this as a zeroday is absurd.
Also, it seems to me that whatever they do to make the TLS handshake and certificate look more like a typical web server, they would never be able to make it exactly match. Tor connections could still be identified by simple things like the self-signed certificate, the random hostname, the hostname<->IP mismatch, and so on.
Trying to fix this would be a never-ending losing battle, I can understand why the Tor project aren't that interested in changing things.
Wrt #1, I think the issue is that scrollbar size makes it easier to tell one Tor user apart from another in the Tor browser, not that you can determine they are running in the Tor browser (or even know their platform from a common fixed set). For most users of Tor and the Tor browser, simply checking that they are coming from a publicly known list of exit node IPs is enough (or if they are already hitting an onion service, then it's obvious).
I'd definetely consider Tor Node Fingerprinting (2nd issue) to be an important issue.
Nonetheless, both issues have been _accepted_ as those by Tor Maintainers, yet they failed to act appropriately.
This post talks about how you can identify a running Tor when you connect to the (operator-assigned, public) relay port. You can only "see" these TLS certificate details when you are connecting to the relay yourself. This means this does not allow network operators to detect traffic going to Tor nodes, or in-between nodes, let alone identify users or deanonymize anyone: To external observers, such traffic looks like typical browser TLS traffic.
So, what this does is allow you to identify Tor nodes, which is by definition not a problem for all Tor relays except bridges, which should not be as easily discoverable by a network scan. The problem has been known before, and work as been done so you can now run a Tor bridge without this problem. As this problem has been publicly discussed and outlined in the very first design documents, it cannot be called a "0day", even if it was more problematic than it actually is.
Tor came up with the concept of "pluggable transports" to address this very successfully, which allows clients and entry bridges to basically make Tor traffic look like anything you want.
The author of this blog strongly comes across as a person who understands a good deal about finding vulnerabilities, but doesn't really understand the tradeoffs being made in maintaining usable anonymity software such as the Tor browser.
The reported scroll bar width vulnerability is his strongest case. He rightly got a bounty for it. But it's relatively hard to fix, and until recently, the Tor browser also just leaked your window size via Javascript. But they're getting there, slowly.
However, the story about public bridge certificates is pretty unjustified. The response he got from the Tor Project is completely clear, and his proposed solution in trying to impersonate traditional PKI simply won't work against even mediocre attackers. Furthermore, bridge enumeration as a systemic attack might be a problem against censorship systems, but can't rightly be called a '0day'. Private bridges (https://bridges.torproject.org) also solve a lot of the problem.
In the linked ticket, you clearly see that they are trying pretty hard to find a sponsor willing to fund the solution.
> and until recently, the Tor browser also just leaked your window size via Javascript.
Though this was why Tor would always open in the same window size. But ya, that all fell apart if you maximized.
When did they fix “the leak” itself? Wouldn’t that require intercepting the JavaScript call in the same way that the scroll bar size issue could be fixed?
Could you expand on "his proposed solution in trying to impersonate traditional PKI simply won't work against even mediocre attackers" ? How would you defeat his proposed solution?
> The bug is simple enough: using JavaScript, you can identify the scrollbar width.
I thought it was accepted and strongly emphasized that running JavaScript in a Tor environment was insecure and could leak information in all sorts of ways, which is why Tor Browser came with NoScript enabled by default.
Is that no longer the case? Is there now an expectation that you should be able to safely run JS in Tor Browser without risk?
Javascript is unfortunately a major part of the web. In terms of Tor's core goals, I think it's preventing the leaking of IP information and overcoming censorship. Preventing websites from identifying a Tor browser is probably a secondary goal.
A website operator can already get refreshed lists of Tor exit nodes and simply block them. Your ISP/government can already see that there's Tor traffic coming from your house, and probably "match" at least some activity with an exit node.
>Checking every network connection against every possible Tor node takes time. This is fine if you have a slow network or low traffic volume, but it doesn't scale well for high-volume networks
What? I can't tell if this is sarcastic or not. There's only around 3000 tor entry nodes[1]. This is orders of magnitude smaller than the number of entries in the internet routing table, which is around 800k. This means at the worst case, if you're an ISP, you can block tor nodes at the router level with virtually zero impact.
It’s no problem, he has some regexs you can put in your DPI system to catch the connections instead. Regex is cheap right? Especially when it is long and complex.
> "After a lot of back-and-forth technical discussions, the Tor Project's representative wrote, "I'm a bit lost with all this info in this ticket. I feel like lots of the discussion here is fruitful but they are more brainstormy and researchy and less fitting to a bug bounty ticket." They concluded with: "Is there a particular bug you want to submit for bug bounty?" In my opinion, describing a vulnerability and mitigation options is not "brainstormy and researchy". To me, it sounds like they were either not competent enough to fix the bug, or they were not interested. In any case, they were just wasting time."
This plus the other descriptions/responses from the project in his post makes me think the project has attracted a lot of people that aren't programmers or can't actually do the valuable work of fixing the thing (though I'd be interested in seeing the specific ticket).
I'd guess that projects like Tor that interest people outside of strict programmer types have this as a bigger issue.
The result is you end up with a lot of people filing tickets and writing emails, but very few actually doing work to fix things because they don't know how. The few that could figure it out, are probably over extended. Having non-programmers interested in helping isn't necessarily a bad thing since good support people help make it easier to fix issues, but it can become bad if support people bias to closing issues because they can't fix them and closing them becomes the goal.
Tor does have some obfuscation proxies (called pluggable transports) to try and disguise the traffic to make it harder to block (there were videos a few years ago when I looked into how Tor worked that talked about this, the traffic is disguised as VOIP among other things). I know China blocks Tor by blocking all the bridge nodes it can find (both public and private) and by using the tricks he describes to slow or stop identified traffic. I think the head of the project cares about these issues.
Not an easy problem to fix, they probably need more programmers. Maybe a direct focus on these issues would help, but it could be they're focused on problems of similar or worse severity (hard to know).
I think the author’s problem is that he finds vulnerabilities thinking outside the box. Traditionaly vulnerabilities exist when you can inject payloads, get access to somewhere you don’t have access to.
His points are valid, and these are vulnerabilities. However they seem like feature requests, rather than being focused on a technical vulnerability (for example use after free).
> (Many users think that Tor makes them anonymous. But Tor users can be tracked online; they are not anonymous.)
Being tracked and anonymous feel like two distinct issues. If you were to only see a hash of my username, you could track me, but you couldn't identify me with it. Definitely something you'd want TOR to stop, but I think that's pretty important.
The other vulnerability is that websites can identify that a user is using TOR. My understanding is that this has always been fairly trivial?
It feels like the real 'story' here is that the TOR project hasn't been grooming their bug bounty program, and so there may be more serious bugs lurking.
> If you were to only see a hash of my username, you could track me, but you couldn't identify me with it.
Pseudonymous is the word for that sort of "tracking". Tracking just means being tracked, no matter if they use the real name or a hash of it or fingerprinting/metadata like IP + user agent string + installed fonts.
As a person who has, over the years, been recommending Tor and defending it against people claiming it's backdoored and useless, I'm disappointed. Can anybody here on HN give information on how some Tor alternatives and projects with similar goals are holding up?
There's really no reason to be disappointed. The post above both isn't about any real vulnerabilities in the service, and does not have any real solutions to the problems posed.
I'm not realy using it much but i2p[0] has been around for a while. It's Java though as all other projects like this in case you have anything against it.
I'm not sure there is a good alternative. Most of the alternatives are built with Java, which (considering tor isn't considered safe with Java enabled) doesn't seem like an improvement.
Is there an alternative that's performant and built with a decent language? Or do the good ones just get snuffed out?
I believe they are demonstrating one of their 0days. Easily identifying tor traffic based on the packet.
0Day #1: Blocking Tor Connections the Smart Way
There are two problems with the "block them all" approach. First, there are thousands of Tor nodes. Checking every network connection against every possible Tor node takes time. This is fine if you have a slow network or low traffic volume, but it doesn't scale well for high-volume networks. Second, the list of nodes changes often. This creates a race condition, where there may be a new Tor node that is seen by Tor users but isn't in your block list yet.
However, what if there was a distinct packet signature provided by every Tor node that can be used to detect a Tor network connection? Then you could set the filter to look for the signature and stop all Tor connections. As it turns out, this packet signature is not theoretical.
Sorry, this seems bogus. There are a lot of ways to block Tor connections, and Tor doesn't try to make it particularly hard to identify ordinary entry nodes. That's what bridge nodes are for, if you need it.
Could someone in the know inform me as to whether or not my knee jerk reaction of "couldn't this individual possibly contribute to the Tor project instead?" is warranted?
They are contributing to the Tor project by sending detailed vulnerability reports. As for demanding that they fix/upstream changes themselves, then yes, that's likely too big of an ask, as even these reports are a gift. Tor has paid employees. "PRs welcome, wontfix" is not acceptable for security vulnerabilities in a security product.
> Unfortunately, sometimes companies are non-responsive. At that point, I have a few options. I can sell the vulnerability to someone else who will certainly exploit it. I can just let it sit -- maybe the bug will be fixed by coincidence or become obsolete, or maybe I'll find another use for it later. (I have a large collection of sitting vulnerabilities, some dating back decades.)
This sounds so interesting to me to hear about. Can anyone recommend a podcast where like-minded engineers discuss things like this? I'd love to vicariously live through their hacking adventures.
Sitting on bugs is just being an asshole, not a great adventure. In most cases there really isn't that much to tell anyway: you find a bug, either on your own or in a customer project, and for some reason it doesn't get fixed. Perhaps management accepts the risk and you're bound by an NDA. Perhaps you plan to make a patch so people can also update when you publish but you haven't found the time for the patch and so it continues (I know of a denial of service in nextcloud like this: it's trivial to find (go ahead) and out of scope for their security program so nextcloud tells us it's a wontfix; we're still meaning to release a patch but it has been two months now, though it's only denial of service anyway). If the bug just so happens to be useful in the future, it's like using a public bug except you're the only one knowing it and you can feel real proud of yourself for putting everyone at risk during that time.
I have gotten the impression over the last few years that the Tor Project has embraced social justice and diversity to the detriment of their software.
I find that when I come across comments or jokes that might expose biases, rather than interrogate the person you can expose those by just asking the simplest questions, the ones that seem too obvious to ask. When someone says a joke that might be described as biased, usually using a more particular word, just ask them to explain the joke. That usually is more revealing than calling its speaker a name.
So, I don't want to infer your opinions, but I want to ask: what about social justice and diversity is to the detriment of their software?
[+] [-] flotzam|5 years ago|reply
1. "using JavaScript, you can identify the scrollbar width [...] so an attacker can identify the underlying operating system"
Using JavaScript, you can simply ask Tor Browser what platform it's on using navigator.userAgent, and it will tell you the truth because lying breaks e.g. websites' custom key combinations. Tor Browser will however attempt to anonymize the platform in passive indicators, i.e. HTTP User-Agent: https://blog.torproject.org/new-release-tor-browser-801 (search for "User Agent")
(EDIT) This was too dismissive, because scrollbar width differences are more fine-grained than platform differences: https://bugzilla.mozilla.org/show_bug.cgi?id=1397996#c5
2. Blocking entry node connections:
"Checking every network connection against every possible Tor node takes time. This is fine if you have a slow network or low traffic volume, but it doesn't scale well for high-volume networks."
If you can muck around in TLS cert fields in real time, you can look up an IP address in a hash table...
"Second, the list of nodes changes often. This creates a race condition, where there may be a new Tor node that is seen by Tor users but isn't in your block list yet."
Oh no! (clutches pearls)
Not to say that it isn't worthwhile to tidy up the TLS fields some more, but hyping this as a zeroday is absurd.
[+] [-] WookieRushing|5 years ago|reply
There are many other ways to detect TOR connections or nodes and block them. Theres enough that there are a whole set of ways of obfuscating traffic called pluggable transports: https://trac.torproject.org/projects/tor/wiki/doc/AChildsGar...
[+] [-] joosters|5 years ago|reply
Trying to fix this would be a never-ending losing battle, I can understand why the Tor project aren't that interested in changing things.
[+] [-] kodablah|5 years ago|reply
[+] [-] phenomax|5 years ago|reply
[+] [-] rendx|5 years ago|reply
This post talks about how you can identify a running Tor when you connect to the (operator-assigned, public) relay port. You can only "see" these TLS certificate details when you are connecting to the relay yourself. This means this does not allow network operators to detect traffic going to Tor nodes, or in-between nodes, let alone identify users or deanonymize anyone: To external observers, such traffic looks like typical browser TLS traffic.
So, what this does is allow you to identify Tor nodes, which is by definition not a problem for all Tor relays except bridges, which should not be as easily discoverable by a network scan. The problem has been known before, and work as been done so you can now run a Tor bridge without this problem. As this problem has been publicly discussed and outlined in the very first design documents, it cannot be called a "0day", even if it was more problematic than it actually is.
Tor came up with the concept of "pluggable transports" to address this very successfully, which allows clients and entry bridges to basically make Tor traffic look like anything you want.
[+] [-] MrStonedOne|5 years ago|reply
In this case the fact that a user is using tor is considered protected information meaning any exposure of that is in fact a info leak vulnerability
[+] [-] throwaway89201|5 years ago|reply
The reported scroll bar width vulnerability is his strongest case. He rightly got a bounty for it. But it's relatively hard to fix, and until recently, the Tor browser also just leaked your window size via Javascript. But they're getting there, slowly.
However, the story about public bridge certificates is pretty unjustified. The response he got from the Tor Project is completely clear, and his proposed solution in trying to impersonate traditional PKI simply won't work against even mediocre attackers. Furthermore, bridge enumeration as a systemic attack might be a problem against censorship systems, but can't rightly be called a '0day'. Private bridges (https://bridges.torproject.org) also solve a lot of the problem.
In the linked ticket, you clearly see that they are trying pretty hard to find a sponsor willing to fund the solution.
[+] [-] Scoundreller|5 years ago|reply
Though this was why Tor would always open in the same window size. But ya, that all fell apart if you maximized.
When did they fix “the leak” itself? Wouldn’t that require intercepting the JavaScript call in the same way that the scroll bar size issue could be fixed?
[+] [-] wcerfgba|5 years ago|reply
[+] [-] piaste|5 years ago|reply
I thought it was accepted and strongly emphasized that running JavaScript in a Tor environment was insecure and could leak information in all sorts of ways, which is why Tor Browser came with NoScript enabled by default.
Is that no longer the case? Is there now an expectation that you should be able to safely run JS in Tor Browser without risk?
[+] [-] ed25519FUUU|5 years ago|reply
A website operator can already get refreshed lists of Tor exit nodes and simply block them. Your ISP/government can already see that there's Tor traffic coming from your house, and probably "match" at least some activity with an exit node.
[+] [-] flotzam|5 years ago|reply
[+] [-] ColanR|5 years ago|reply
[+] [-] ainar-g|5 years ago|reply
[+] [-] gruez|5 years ago|reply
What? I can't tell if this is sarcastic or not. There's only around 3000 tor entry nodes[1]. This is orders of magnitude smaller than the number of entries in the internet routing table, which is around 800k. This means at the worst case, if you're an ISP, you can block tor nodes at the router level with virtually zero impact.
[1] https://onionoo.torproject.org/details?search=flag:Guard%20r...
[+] [-] jandrese|5 years ago|reply
[+] [-] ddalex|5 years ago|reply
[+] [-] gonehome|5 years ago|reply
This plus the other descriptions/responses from the project in his post makes me think the project has attracted a lot of people that aren't programmers or can't actually do the valuable work of fixing the thing (though I'd be interested in seeing the specific ticket).
I'd guess that projects like Tor that interest people outside of strict programmer types have this as a bigger issue.
The result is you end up with a lot of people filing tickets and writing emails, but very few actually doing work to fix things because they don't know how. The few that could figure it out, are probably over extended. Having non-programmers interested in helping isn't necessarily a bad thing since good support people help make it easier to fix issues, but it can become bad if support people bias to closing issues because they can't fix them and closing them becomes the goal.
Tor does have some obfuscation proxies (called pluggable transports) to try and disguise the traffic to make it harder to block (there were videos a few years ago when I looked into how Tor worked that talked about this, the traffic is disguised as VOIP among other things). I know China blocks Tor by blocking all the bridge nodes it can find (both public and private) and by using the tricks he describes to slow or stop identified traffic. I think the head of the project cares about these issues.
Not an easy problem to fix, they probably need more programmers. Maybe a direct focus on these issues would help, but it could be they're focused on problems of similar or worse severity (hard to know).
[+] [-] terminalcommand|5 years ago|reply
His points are valid, and these are vulnerabilities. However they seem like feature requests, rather than being focused on a technical vulnerability (for example use after free).
[+] [-] tinus_hn|5 years ago|reply
I’ll wait and see if there are any real vulnerabilities in the queue.
[+] [-] staticassertion|5 years ago|reply
Being tracked and anonymous feel like two distinct issues. If you were to only see a hash of my username, you could track me, but you couldn't identify me with it. Definitely something you'd want TOR to stop, but I think that's pretty important.
The other vulnerability is that websites can identify that a user is using TOR. My understanding is that this has always been fairly trivial?
It feels like the real 'story' here is that the TOR project hasn't been grooming their bug bounty program, and so there may be more serious bugs lurking.
[+] [-] lucb1e|5 years ago|reply
Pseudonymous is the word for that sort of "tracking". Tracking just means being tracked, no matter if they use the real name or a hash of it or fingerprinting/metadata like IP + user agent string + installed fonts.
[+] [-] syrrim|5 years ago|reply
[+] [-] sanqui|5 years ago|reply
[+] [-] mirashii|5 years ago|reply
[+] [-] Moru|5 years ago|reply
[0] https://geti2p.net/en/
[+] [-] ColanR|5 years ago|reply
Is there an alternative that's performant and built with a decent language? Or do the good ones just get snuffed out?
[+] [-] kyboren|5 years ago|reply
[+] [-] r3trohack3r|5 years ago|reply
[+] [-] phyzome|5 years ago|reply
[+] [-] countbackula|5 years ago|reply
[+] [-] sloshnmosh|5 years ago|reply
I don’t allow JavaScript to run on my mobile browser because of the disturbing crash logs in WebKit in the few times I have enabled JS.
[+] [-] leksak|5 years ago|reply
[+] [-] eat_veggies|5 years ago|reply
[+] [-] ed25519FUUU|5 years ago|reply
This sounds so interesting to me to hear about. Can anyone recommend a podcast where like-minded engineers discuss things like this? I'd love to vicariously live through their hacking adventures.
[+] [-] lucb1e|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] dontcare1|5 years ago|reply
[deleted]
[+] [-] smooth_remmy|5 years ago|reply
[+] [-] AaronFriel|5 years ago|reply
So, I don't want to infer your opinions, but I want to ask: what about social justice and diversity is to the detriment of their software?
[+] [-] Acrobatic_Road|5 years ago|reply
[+] [-] camdenlock|5 years ago|reply