Tor Browser Security Under Scrutiny 80
msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.
Re: (Score:2)
The FBI and NSA knew it was shit years ago.
Just sayin...
So did I. I gave up in Firefox once they moved away from the "less is more" school of design, several years ago. Same reason I gave up on Netscape before that-- creeping featurism. What I want in a browser is lean and mean. REALLY mean. The more complicated a browser is, the bigger the risk of security flaws.
Re: (Score:2)
Palemoon is just Firefox 24 ESR, which is coincidentally what the Tor Browser Bundle used to be based on.
Re:Not surprising... (Score:5, Insightful)
I feel the same way about Tor as I do about DuckDuckGo: if I were paranoid enough to use it, I would be paranoid enough to wonder how it gets along without a business model.
Re: (Score:2)
I also feel the same way about Tor as I do about DuckDuckGo: great ideas in theory, but way too much of a pain to use, given that I don't really have anything terribly important to hide.
Re: (Score:1)
I was curious so I looked for an answer.
https://duck.co/help/company/advertising-and-affiliates
Re: (Score:2)
I agree, sometimes it is better to hide in plain site than hide where you could be expected to hide.
Re: (Score:2)
sight
Re: (Score:1)
Why not work with Mozilla (Score:5, Interesting)
Why not work with Mozilla to address the issues? What about Chromium? I'd put the brakes on anything Google does with Chrome. Their ever-shifting policies have meant that it's no longer a preferred solution to our clients and to my customers. These aren't minor issues either since Google has been building their own walled garden, something a lot of FOSS and Commercial Software organizations won't support. Firefox at least for now, is void of these issues and is much friendlier to the community as a whole.
Re: (Score:1, Informative)
They already do work with Mozilla.
Re: (Score:2, Informative)
Mozilla doesn't care. They are actively undermining features needed to use Tor safely (and, arguably, to browse at all safely).
Firefox has lost the ability to disable javascript;
Let's see.. *clicks on about:config?filter=javascript.enabled in my bookmarks* Nope, still able to do that.
it's gained tons of privacy-violating tracking features, some of which report every URL you visit to Google;
it keeps cookies forever by default; and it's gaining more and more browser fingerprinting sources with every release.
Nope again, [mozilla.org] and defaults are easy to change when you're building your own TOR browser.
There's plenty of room elsewhere in Firefox for improvement, and patches are welcome, so there's really no need for this FUD.
Re: (Score:1, Insightful)
Firefox at least for now, is void of these issues and is much friendlier to the community as a whole.
As somebody who's been involved in Netscape/Mozilla/Firefox development since the 1990's, I can't think of many statements that are more false than this one. Mozilla is hostile to users in general and continually ignores the most popular bugs in order to implement stupid imitation-Chrome features that are unpopular with the users. In fact, they wear it as a badge of honor like they're flipping us the bird a
If AC PP is actually a pre-mozilla developer... (Score:1)
Dating back to the *90s*, and not just as a web developer/end user, I imagine they are *INTIMATELY* familiar with Netscapes culture, which judging by my experiences over the years is anecdotally true. They significantly bloated the netscape browser code before releasing it to the community. They made Mozilla Browser a joke until firefox came out and they jumped their development to the new 'lean browser', neglecting their old all-in-one browser, which in turn IMPROVED after their focus shifted from it. Furt
Re: (Score:2)
As an anonymous troll that is an authority on the subject, I think the parent is full of shit.
Re:Why not work with Mozilla (Score:5, Interesting)
My questions are thus... why not move to a model where the entire OS is forced through the tor proxy, This could be done with the use of a dummy network adapter and disabling the current adapter while tor is in use. Yes it would likely break certain OS features during that time, but there it is.
TFA also discusses putting a dumbed down security 'slider' on the browser, but still the default is to allow JIT/JS. Currently you have noscript installed, but not turned off in a fresh install. A few lines of JS is enough to identify an IP or fingerprint more of the system. The default should be most secure with warnings to open it up. Period. At install time you already explin that things do not work like you are used to and then allow the user to decide to reduce security. Anything else provides an illusion of security to a naive user, but still allows an adversary easy means of detection.
Re: (Score:1)
To in response to your first comment Tails is the answer. Like the TorBrowser bundle does for Tor itself in the browser space, Tails does to Tor from a wider space (everything is dropped or forced through Tor). Now you might make the argument that Tails goes too far in that it's technical. That same thing can be said for your comment on the slider option defaulting to a less than perfect setting. However if you don't do that then you'll make it even more difficult for people to adopt it. This also has a neg
Re: (Score:2)
Perform an AJAX "get" on http://www.whatismyip.com/ [whatismyip.com] or any other IP lookup site.
Re: (Score:2)
It can be as simple as DNS to an unexpected port, ftp in the distant past to proxy not been filled in, to more unique application related issues with a browser.
In the end the ip drops out and user can then be tracked over the net as expected. Back in 2007 ideas around eg an exit server looking for key words would get a real ip to users browser ie user did not disable Java.
Re: (Score:1)
Re: (Score:3)
My questions are thus... why not move to a model where the entire OS is forced through the tor proxy, This could be done with the use of a dummy network adapter and disabling the current adapter while tor is in use. Yes it would likely break certain OS features during that time, but there it is.
This is a bit like plugging a power strip into itself. It might seem self evident why that should work, but alas, it does not. /s
How do you think TOR communicates with the Internet at large, if not using the OS network stack? And if you coopt that stack, how, pray tell, do you expect TOR to be able to communicate with the TOR nodes?
Re: (Score:2)
If there was ever a reason to have the device driver firmware loaded by the OS, instead of being stored on the device in flash, I think this is it!
Otherwise, just pwn the network card, and you can send out digital breadcrumbs forever.
At least you can include firmware you think you can trust.
Re: (Score:2)
You don't have to. The browser is fully open source. That's why they're actually comparing vs Chromium, not Chrome. But Chromium is missing quite a few features compared to Chrome like H264 support.
Re: (Score:2)
PaleMoon is just a rebranded Firefox 24 ESR.
Findings... (Score:1)
Address Space Layout Randomization is disabled on Windows and Mac
Due to our use of cross-compilation and non-standard toolchains in our reproducible build system, several hardening features have ended up disabled. We have known about the Windows issues prior to this report, and should have a fix for them soon. However, the MacOS issues are news to us, and appear to require that we build 64 bit versions of the Tor Browser for full support. The parent ticket for all basic hardening issues in Tor Browser is bu
Re: (Score:3, Interesting)
One question I have is:
They say ASLR is disabled, and then they recommend using the product with EMET. However, if ASLR is disabled, doesn't that mean that EMET won't be compatible? EMET requires a number of features to be handled correctly before it can be used.
Seems to me that what really has to happen (in this order) is:
1) Mozilla fixes jemalloc or just replaces it with something like PartitionAlloc, fixing these issues for ALL variants that depend on it.
2) TorBrowser takes the Firefox code and recompi
Re: (Score:2)
They say ASLR is disabled
I *think* what they are saying is that:
ASLR is disabled in their build of the software. (It must be enabled via compiler option).
However, ASLR is enabled in windows itself.
from Microsoft:
http://www.microsoft.com/secur... [microsoft.com]
Address Space Layout Randomization (ASLR): In older versions of Windows, core processes tended to be loaded into predictable memory locations upon system startup. Some exploits work by targeting memory locations known to be associated with particular processes. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process. The combination of ASLR and DEP creates a fairly formidable barrier for attackers to overcome in order to achieve reliable code execution when exploiting vulnerabilities.
ASLR was introduced in Windows Vista and has been included in all subsequent releases of Windows. As with DEP, ASLR is only enabled by default for core operating system binaries and applications that are explicitly configured to use it via a new linker switch.
As for EMET and ASLR:
Basically EMET can force recent versions of Windows to use ASLR even on applications that don't explicitly build with support for it:
http://krebsonsecurity.com/tag... [krebsonsecurity.com]
EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, youâ(TM)ll need to have Microsoftâ(TM)s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.
Re: (Score:1)
Ah; so they're not saying that they disable ASLR, they're just saying they aren't baking it in (which EMET can do for free).
That makes much more sense if it's the case. I never use TorBrowser on Windows, so I haven't seen how it actually behaves.
Re: (Score:1)
Once you do *that*, exploring running TBB with EMET is worthwhile, as EMET may make exploitation more difficult. I'm not certain that it would actually make it difficult enough for Tor Project to try and get non-technical people to use it, but it's worth exploring IMO.
To your points: PartitionAlloc is independent of ASLR. The deterministic build system relies on cross-compiling on Linux for Windows/Mac.
Re: (Score:1)
Thanks! This is excellent info. I do think that a Pwn2Own on TBB would be useful either way -- either it's hardened a lot and fares well, thus getting good publicity as a private AND secure browser, or the glaring bugs are fixed, it fails miserably in the P2O, and the visibility is improved that while it may be somewhat anonymous, it is by no means secure, and people pitch in to help fix that. Seems like a win-win to me, as long as donors are footing the prize bill.
"Limitations on proxy support"? (Score:3)
I assume they mean that it hooks into the OS-level proxy settings. That is a good thing, I hate configuring my proxy settings over and over and over for every application when the OS already has a setting for it.
But it isn't a limitation, last I checked there was a command line parameter for forcing use of a proxy. So just make a launcher app that forces Chrome to use Tor. You should be able to even launch a Tor-using Chrome side-by-side with a non-Tor Chrome if you set it up right (using --user-data-dir to make a new Chrome profile and instance instead of using a local user profile and instance).
Re: (Score:3)
Remember the audience. This was written for people who want to know about browsers and Tor. Not for people who want usability.
Specifically, "several bugs required for basic proxy-safe Tor support for Google Chrome's Incognito Mode ended up blocked for various reasons."
So even your command line parameter thing is irrelevant.
Which brings me to this:
Stop right there. Everyone who ever said "it's as easy as..." or some variation ha
Re: (Score:1)
Why the hell would you want to?
The report doesn't say "use Chrome" (Score:4, Informative)
Maybe I'm missing something, but I've read the whole report and I can't find anything that says "don't favor Firefox as a baseline for Tor, rather Google Chrome".
Re: (Score:3, Informative)
They don't. They simply acknowledge that Chrome has a safer memory deallocator, and that the Chrome team has some put some actual effort into security in their browser.
There is just an active effort now to discredit Firefox at every possible opportunity. It has cropped up in pretty much every browser discussion, at pretty much every opportunity. For every negative point that might have some merit or at least tries to be level-headed, there are two or more that blindly paint Firefox and Mozilla in a negative
Re: (Score:3)
The sheep (or astroturfers, can't tell) have decided that Chrome is the cool thing and everything else must die, facts be damned.
Re: (Score:2)
Re:The report doesn't say "use Chrome" (Score:4, Informative)
I was wondering the same thing. The only thing the report says is "implementing security features that Chromium has and work in Firefox would help Tor".
The headline is a lie.
Re: (Score:1)
They didn't even mention the process-model of Firefox. Which would be the first thing a layman would mention. Which at least in theory should make Chromium more secure.
Not that they really need to replace Firefox in the long run for that. Because Electrolysis, as the multi process Firefox project is called, is sheduled to go in at the end of this year or at the start of next year.
Re: (Score:3)
It's been in Nightly for a while. I'm posting using it. The only thing that doesn't work well for me is...Gmail.
There's also full sandboxing support, but you need a compile time flag for it.
Re: (Score:1)
I believe I read somewhere multi-process Firefox is targeted for Firefox 36. That is why I mentioned end of the year.
Re:The report doesn't say (Score:1)
links2 -g (Score:2)
And seriously, if you can't make your site look good in links, I don't need you. Wait, /. looks like shit on links... Dammit.
"...access to private bugs..." (Score:2)
Wait, so Gecko is full of ***KNOWN*** "zero" days--zero in the sense we don't know about them, but Mozilla does? Please tell me I'm reading that wrong!
Re: (Score:3)
Security bugs filed against Firefox are private until a new release is out to the users. If the issue is critical (looks like it can be exploited), it will be in a x.0.1 update. If it isn't, then it will be in n+1.
Another way of stating what you said is "if Firefox engineers find a way to 0-day their own browser, they fix it before plasting the information on how to do it all over the internet".
Re: (Score:1)
That's not what it says at all vs Chrome (Score:4, Informative)
"The Chrome Security team has been a source of innovation in the browser security space. Tor Browser Bundle is based on Firefox and thus inherits progress made by Mozilla automatically. While improvements in Chrome may not be appropriate for Firefox, they could be integrated in Tor Browser Bundle. In a best case scenario, members of the Chrome Security team may be allowed to work with the Tor Project on these changes."
Basically it's saying: Chrome is also doing good stuff, combine it with the stuff you get from Mozilla for a better result.
What about.. (Score:1)