- Joined
- Nov 26, 2020
- Messages
- 716
This week, information security expert Neal Krawetz, who manages several Tor nodes himself, revealed details of two zero-day vulnerabilities affecting the Tor network itself and the Tor Browser.
The researcher says that Tor developers have repeatedly refused to fix the problems they found, so he decided to make the vulnerability public. Even worse, Kravets promises to release information about three more 0-day bugs in the near future, and one of them can be used to reveal the real IP addresses of Tor servers.
The specialist described the first 0-day problem in his blog on July 23, 2020. In this article, he explained how companies and Internet service providers can block users from connecting to the Tor network. All you need to do is scan network connections for a specific packet signature that is unique to Tor traffic.
Second 0-day vulnerability Kravets described in a blog post today, July 30, 2020. The second bug also allows network operators to detect Tor traffic. But if the first problem can be used to detect direct connections to the Tor network (to Tor guard nodes), then the second vulnerability can be used to detect indirect connections. We are talking about connections that users establish with Tor bridges.
Let me remind you that bridges work as a kind of proxy, passing the connection from the user to the Tor network itself. Since they are an extremely sensitive part of the Tor infrastructure, the list of bridges is constantly updated to make it harder for providers to block them. And Kravets writes that connections to Tor bridges can be easily detected using the technique of tracking specific TCP packets.
The specialist also says that, in his opinion, Tor Project engineers do not take the security of their networks, tools and users seriously enough. He refers to his previous experience and numerous attempts to inform Tor developers about various bugs that were never fixed in the end. Among them:
The researcher says that Tor developers have repeatedly refused to fix the problems they found, so he decided to make the vulnerability public. Even worse, Kravets promises to release information about three more 0-day bugs in the near future, and one of them can be used to reveal the real IP addresses of Tor servers.
The specialist described the first 0-day problem in his blog on July 23, 2020. In this article, he explained how companies and Internet service providers can block users from connecting to the Tor network. All you need to do is scan network connections for a specific packet signature that is unique to Tor traffic.
Second 0-day vulnerability Kravets described in a blog post today, July 30, 2020. The second bug also allows network operators to detect Tor traffic. But if the first problem can be used to detect direct connections to the Tor network (to Tor guard nodes), then the second vulnerability can be used to detect indirect connections. We are talking about connections that users establish with Tor bridges.
Let me remind you that bridges work as a kind of proxy, passing the connection from the user to the Tor network itself. Since they are an extremely sensitive part of the Tor infrastructure, the list of bridges is constantly updated to make it harder for providers to block them. And Kravets writes that connections to Tor bridges can be easily detected using the technique of tracking specific TCP packets.
"After my previous blog post and this one, you have everything you need to strengthen the [tor blocking] policy with a real-time packet inspection system. You can prevent all your users from connecting to Tor, regardless of whether they are connected directly or using a bridge," the expert writes.
The specialist also says that, in his opinion, Tor Project engineers do not take the security of their networks, tools and users seriously enough. He refers to his previous experience and numerous attempts to inform Tor developers about various bugs that were never fixed in the end. Among them:
- a vulnerability that allows sites to detect and recognize users of the Tor browser by the width of the scroll bar, which developers have known about since June 2017;
- a vulnerability that allows Tor bridges to be detected using their or (Onion routing) port, discovered eight years ago;
- a vulnerability that allows identifying the SSL library used by Tor servers was found on December 27, 2017.