Forgot your password?
typodupeerror
Encryption Firefox Privacy Security The Internet

Tor Browser Security Under Scrutiny 80

Posted by Soulskill
from the shouldn't-we-be-funding-this-better dept.
msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.
This discussion has been archived. No new comments can be posted.

Tor Browser Security Under Scrutiny

Comments Filter:
  • by Virtucon (127420) on Wednesday August 20, 2014 @03:25PM (#47715211)

    Why not work with Mozilla to address the issues? What about Chromium? I'd put the brakes on anything Google does with Chrome. Their ever-shifting policies have meant that it's no longer a preferred solution to our clients and to my customers. These aren't minor issues either since Google has been building their own walled garden, something a lot of FOSS and Commercial Software organizations won't support. Firefox at least for now, is void of these issues and is much friendlier to the community as a whole.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      They already do work with Mozilla.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Firefox at least for now, is void of these issues and is much friendlier to the community as a whole.

      As somebody who's been involved in Netscape/Mozilla/Firefox development since the 1990's, I can't think of many statements that are more false than this one. Mozilla is hostile to users in general and continually ignores the most popular bugs in order to implement stupid imitation-Chrome features that are unpopular with the users. In fact, they wear it as a badge of honor like they're flipping us the bird a

      • by Skuto (171945)

        As an anonymous troll that is an authority on the subject, I think the parent is full of shit.

    • by wbr1 (2538558) on Wednesday August 20, 2014 @04:23PM (#47715749)
      Chrome/chromium on windows uses the Windows Crypto API to install and verify certs. This bypasses the TOR proxy and allows for a MITM attack with no user knowledge. Changing this requires more work then what they have to do with FF.

      My questions are thus... why not move to a model where the entire OS is forced through the tor proxy, This could be done with the use of a dummy network adapter and disabling the current adapter while tor is in use. Yes it would likely break certain OS features during that time, but there it is.

      TFA also discusses putting a dumbed down security 'slider' on the browser, but still the default is to allow JIT/JS. Currently you have noscript installed, but not turned off in a fresh install. A few lines of JS is enough to identify an IP or fingerprint more of the system. The default should be most secure with warnings to open it up. Period. At install time you already explin that things do not work like you are used to and then allow the user to decide to reduce security. Anything else provides an illusion of security to a naive user, but still allows an adversary easy means of detection.

      • by Anonymous Coward

        To in response to your first comment Tails is the answer. Like the TorBrowser bundle does for Tor itself in the browser space, Tails does to Tor from a wider space (everything is dropped or forced through Tor). Now you might make the argument that Tails goes too far in that it's technical. That same thing can be said for your comment on the slider option defaulting to a less than perfect setting. However if you don't do that then you'll make it even more difficult for people to adopt it. This also has a neg

      • by mcrbids (148650)

        My questions are thus... why not move to a model where the entire OS is forced through the tor proxy, This could be done with the use of a dummy network adapter and disabling the current adapter while tor is in use. Yes it would likely break certain OS features during that time, but there it is.

        This is a bit like plugging a power strip into itself. It might seem self evident why that should work, but alas, it does not. /s

        How do you think TOR communicates with the Internet at large, if not using the OS network stack? And if you coopt that stack, how, pray tell, do you expect TOR to be able to communicate with the TOR nodes?

        • by EETech1 (1179269)

          If there was ever a reason to have the device driver firmware loaded by the OS, instead of being stored on the device in flash, I think this is it!

          Otherwise, just pwn the network card, and you can send out digital breadcrumbs forever.

          At least you can include firmware you think you can trust.

  • Address Space Layout Randomization is disabled on Windows and Mac

    Due to our use of cross-compilation and non-standard toolchains in our reproducible build system, several hardening features have ended up disabled. We have known about the Windows issues prior to this report, and should have a fix for them soon. However, the MacOS issues are news to us, and appear to require that we build 64 bit versions of the Tor Browser for full support. The parent ticket for all basic hardening issues in Tor Browser is bu

    • Re: (Score:3, Interesting)

      by Em Adespoton (792954)

      One question I have is:
      They say ASLR is disabled, and then they recommend using the product with EMET. However, if ASLR is disabled, doesn't that mean that EMET won't be compatible? EMET requires a number of features to be handled correctly before it can be used.

      Seems to me that what really has to happen (in this order) is:

      1) Mozilla fixes jemalloc or just replaces it with something like PartitionAlloc, fixing these issues for ALL variants that depend on it.

      2) TorBrowser takes the Firefox code and recompi

      • by vux984 (928602)

        They say ASLR is disabled

        I *think* what they are saying is that:
        ASLR is disabled in their build of the software. (It must be enabled via compiler option).

        However, ASLR is enabled in windows itself.

        from Microsoft:

        http://www.microsoft.com/secur... [microsoft.com]

        Address Space Layout Randomization (ASLR): In older versions of Windows, core processes tended to be loaded into predictable memory locations upon system startup. Some exploits work by targeting memory locations known to be associated with particular processes. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process. The combination of ASLR and DEP creates a fairly formidable barrier for attackers to overcome in order to achieve reliable code execution when exploiting vulnerabilities.

        ASLR was introduced in Windows Vista and has been included in all subsequent releases of Windows. As with DEP, ASLR is only enabled by default for core operating system binaries and applications that are explicitly configured to use it via a new linker switch.

        As for EMET and ASLR:

        Basically EMET can force recent versions of Windows to use ASLR even on applications that don't explicitly build with support for it:

        http://krebsonsecurity.com/tag... [krebsonsecurity.com]

        EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, youâ(TM)ll need to have Microsoftâ(TM)s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

        • Ah; so they're not saying that they disable ASLR, they're just saying they aren't baking it in (which EMET can do for free).

          That makes much more sense if it's the case. I never use TorBrowser on Windows, so I haven't seen how it actually behaves.

      • The fact that ASLR is not universally applied is a bug, full stop. It needs to be fixed ASAP.

        Once you do *that*, exploring running TBB with EMET is worthwhile, as EMET may make exploitation more difficult. I'm not certain that it would actually make it difficult enough for Tor Project to try and get non-technical people to use it, but it's worth exploring IMO.

        To your points: PartitionAlloc is independent of ASLR. The deterministic build system relies on cross-compiling on Linux for Windows/Mac.
        • Thanks! This is excellent info. I do think that a Pwn2Own on TBB would be useful either way -- either it's hardened a lot and fares well, thus getting good publicity as a private AND secure browser, or the glaring bugs are fixed, it fails miserably in the P2O, and the visibility is improved that while it may be somewhat anonymous, it is by no means secure, and people pitch in to help fix that. Seems like a win-win to me, as long as donors are footing the prize bill.

  • by The MAZZTer (911996) <megazzt@gmail . c om> on Wednesday August 20, 2014 @04:45PM (#47715923) Homepage

    I assume they mean that it hooks into the OS-level proxy settings. That is a good thing, I hate configuring my proxy settings over and over and over for every application when the OS already has a setting for it.

    But it isn't a limitation, last I checked there was a command line parameter for forcing use of a proxy. So just make a launcher app that forces Chrome to use Tor. You should be able to even launch a Tor-using Chrome side-by-side with a non-Tor Chrome if you set it up right (using --user-data-dir to make a new Chrome profile and instance instead of using a local user profile and instance).

    • Remember the audience. This was written for people who want to know about browsers and Tor. Not for people who want usability.

      Specifically, "several bugs required for basic proxy-safe Tor support for Google Chrome's Incognito Mode ended up blocked for various reasons."

      So even your command line parameter thing is irrelevant.

      Which brings me to this:

      So just make a launcher app that forces Chrome to use Tor. You should be able

      Stop right there. Everyone who ever said "it's as easy as..." or some variation ha

  • by roca (43122) on Wednesday August 20, 2014 @07:16PM (#47716881) Homepage

    Maybe I'm missing something, but I've read the whole report and I can't find anything that says "don't favor Firefox as a baseline for Tor, rather Google Chrome".

    • Re: (Score:3, Informative)

      by Anonymous Coward

      They don't. They simply acknowledge that Chrome has a safer memory deallocator, and that the Chrome team has some put some actual effort into security in their browser.

      There is just an active effort now to discredit Firefox at every possible opportunity. It has cropped up in pretty much every browser discussion, at pretty much every opportunity. For every negative point that might have some merit or at least tries to be level-headed, there are two or more that blindly paint Firefox and Mozilla in a negative

      • by Skuto (171945)

        The sheep (or astroturfers, can't tell) have decided that Chrome is the cool thing and everything else must die, facts be damned.

      • by doom (14564)
        I know this is kind of wild and crazy, but could it be that Firefox is developing this weird reputation of egocentric designers intent on pissing-off long term users because there's actually some truth in it?
    • by Skuto (171945) on Thursday August 21, 2014 @04:13AM (#47718785) Homepage

      I was wondering the same thing. The only thing the report says is "implementing security features that Chromium has and work in Firefox would help Tor".

      The headline is a lie.

      • by Anonymous Coward

        They didn't even mention the process-model of Firefox. Which would be the first thing a layman would mention. Which at least in theory should make Chromium more secure.

        Not that they really need to replace Firefox in the long run for that. Because Electrolysis, as the multi process Firefox project is called, is sheduled to go in at the end of this year or at the start of next year.

        • by Skuto (171945)

          It's been in Nightly for a while. I'm posting using it. The only thing that doesn't work well for me is...Gmail.

          There's also full sandboxing support, but you need a compile time flag for it.

          • by Anonymous Coward

            I believe I read somewhere multi-process Firefox is targeted for Firefox 36. That is why I mentioned end of the year.

        • Agreed, we don't say 'Use Chrome', just that Chrome has a lot of security stuff we wish was in Firefox. We explicitly did not investigate FF sandboxing/multi-processing (and I thought we said that we explicitly excluded it) because we're not going to be able to make significant headway on that in 6 weeks while FF has been working on it for a while.
  • And seriously, if you can't make your site look good in links, I don't need you. Wait, /. looks like shit on links... Dammit.

  • Wait, so Gecko is full of ***KNOWN*** "zero" days--zero in the sense we don't know about them, but Mozilla does? Please tell me I'm reading that wrong!

    • by Skuto (171945)

      Security bugs filed against Firefox are private until a new release is out to the users. If the issue is critical (looks like it can be exploited), it will be in a x.0.1 update. If it isn't, then it will be in n+1.

      Another way of stating what you said is "if Firefox engineers find a way to 0-day their own browser, they fix it before plasting the information on how to do it all over the internet".

      • What Skuto said, except "are private until a new release is out to the users" is really "6 to 12 months or more down the line" because (I think) they affect the Firefox OS core also which is on a much different schedule. You can actually go through all the bugs here: https://github.com/iSECPartner... [github.com] but most of them will in fact be 'private'.
  • by Skuto (171945) on Thursday August 21, 2014 @04:23AM (#47718813) Homepage

    "The Chrome Security team has been a source of innovation in the browser security space. Tor Browser Bundle is based on Firefox and thus inherits progress made by Mozilla automatically. While improvements in Chrome may not be appropriate for Firefox, they could be integrated in Tor Browser Bundle. In a best case scenario, members of the Chrome Security team may be allowed to work with the Tor Project on these changes."

    Basically it's saying: Chrome is also doing good stuff, combine it with the stuff you get from Mozilla for a better result.

  • What about when Google adds in some code by request of NSA?

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...