The incentives to develop Tor exploits, target Tor users, and the attack surface of the browser could seem to make using it at all an exercise of poor judgement.
You basically add some anonymity but change your threat model to include an extremely high likelihood of injection attacks, and practically provoke every state level agency to monitor you, where they might have previously ignored you.
This was the pgp problem in the 90s where you would essentially be sending a tracer round across the network saying, "hey everyone, these two people are using encryption!"
Tor is a great effort and it gets people involved in privacy, but onion routing to exit nodes on the internet has diminishing efficacy, and I think everyone needs a clearer articulation of what and whose problem it solves.
I think there is something inherent difficult/impossible about what you propose.
From the data presented by the tor project, it seems clear that tor services many people in nations where they're likely to be targeted by the state or other organizations for online activity.
With that said, I think defining what and whose problem it solves has a limit imposed by the nature of what we're doing, which is giving people the option to be anonymous and connect to the internet. The more details you articulate, the less effective this system becomes.
“when they might have previously ignored you”, until they have reason to pay attention, when they can query metadata about all of your previous unanonymized traffic
> onion routing to exit nodes on the internet has diminishing efficacy
How about onion routing to peers? Tor provides a great backbone to do this yet so few applications employ it. I have ideas of course, but in general, it's very easy to have a desktop app on your home computer that fires up an onion service you can access from anywhere including mobile. Why more apps that don't have high bandwidth requirements don't use it I'll never know.
Are you sure that last one isn't the newspaper website itself? They're notorious for that and it would be surprising if you could actually push enough traffic (maybe ~1Gbps sustained?) through a Tor circuit to max out even one core on Tor itself.
Yup. Here's a few Go lines to serve a dir over http via an onion service: https://github.com/cretz/bine#example. Takes a few seconds to setup the service or even less if you set the option to use v3 onion services. Client auth can be configured and it's part of the protocol. Fire it up and serve your at-home photo catalog and view it via something like Orfox on your mobile device.
That makes it sound like it is simple, but without looking at the dependencies code it might just be a simple interface to a implementation of a complex protocol.
Well, sure. That goes with everything, you aren't implementing your own TCP stack for making a simple HTTP server response. The claimed simplicity is in dev time, not in protocol implementation for all layers.
Sure, but "tor’s simple utility for punching through nat" (although said by the parent and only agreed by you) makes it sound like NAT hole punching is now simple, universal and stable. If it is all those three via TOR's utility I'd love it, but I'm guessing it is neither or just one.
> If it is all those three via TOR's utility I'd love it, but I'm guessing it is neither or just one.
It is all three, but it's not technical NAT hole punching as much as just connecting to relays. So any device that can call out to the internet can setup a local onion service, similar to how those localhost-to-public-address dev tunnels work.
Disagree: Exploits in the browser bundle would affect stock Firefox or bypass security measure not present in stock. NSA monitors all traffic anyways; they certainly don't ignore normal users.
Source for this claim? I don't doubt they monitor what they can - but the sheer volume of internet traffic makes it unlikely that they are able to monitor everything and instead must target specific things to monitor. They have a lot of money and a lot of smart people, but they don't have wizard magic.
After going through volume reduction, so maybe not _strictly_ every packet:
> The processing centres apply a series of sophisticated computer programmes in order to filter the material through what is known as MVR – massive volume reduction. The first filter immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads, which reduces the volume by about 30%.
They have access, but it isn't necessarily analysed or kept.
Some ex NSA tech lead (Bill Binney-something, who quit because of absurd spying) they were drowning in data and were mostly interested into listening more (an easy reason to get more budget iirc).
Now they can't inspect everything close, but they do grab the data.
Are you living in 2012? Since 2013 and the snowden revelations, the allegation that IC does at least 30 days full take 100% of internet data traffic (and much longer for encrypted or interesting traffic) is an established fact. Why do you think https penetration is so high today?
In 2018, and that big giant data center in Utah, its likely much greater than 30 days. It truly is wizard magic.
I'm surprised no one is discussing how unethical Zerodium is. Selling undisclosed vulnerabilities to the government for a tool designed to protect users from government oppression is about as unethical as you can be.
It's pretty common practice. I was at a panel discussion at Ruxcon 2012 where selling exploits was brought up. Ranty Ben talked about selling exploits was how he made a living.
The original/official upload of the panel discussion use to be here, but it's been taken down since. :(
Can you really call TOR a tool to "protect users from government oppression" when the project itself is majority-funded by the US Department of Defense?
You just need to accept that the US Government's agenda of regime change in Vietnam, China, Iran, Cuba, Egypt, Venezuela, North Korea, Belarus, Russia, Ukraine, and Turkey is the correct course of action of the continuing development of international human rights.
Also it helps to ignore any chance that there could a majority of the population who sees their government's action as necessary, just, or even acceptable. They're simply wrong and uninformed due to the oppression of their government. Western European liberal capitalist representative democracy is the only successful government which stands the test of time, we have nearly 200 years of data to support this, every other model by comparison simply doesn't work.
>You just need to accept that the US Government's agenda of regime change in Vietnam, China, Iran, Cuba, Egypt, Venezuela, North Korea, Belarus, Russia, Ukraine, and Turkey is the correct course of action
I would like to see some citations that the US is pursuing regime change in Vietnam, Egypt and Ukraine. The US is a direct supporter of both the Egyptian and Ukrainian governments and on fairly decent terms with the government of Vietnam.
>Also it helps to ignore any chance that there could a majority of the population who sees their government's action as necessary, just, or even acceptable. They're simply wrong and uninformed due to the oppression of their government.
How do you gauge the support for censorship within non-democracies like North Korea especially when opposition to censorship may be brutally punished? I'm not saying that the population of North Korea is anti-censorship, I don't know what they believe. I'm curious how you arrived at the conclusion that they are pro-censorship.
The goal of TOR is to subvert local attempts to control internet access. Generally this takes the form of censoring pro-western internet views as the internet in its more open access form the internet is a product of the western hegemony and its filled with praises for the western hegemony's polices and its propaganda.
Attempts made by Governments to censor the external internet, and attempts made by those outside of the government cannot escape the political elements of their actions. The goal is either the preservation of the current regime, or the change/overthrow of the regime/party/structure all political actions boil down this.
In light of these facts. The diplomatic relationships effectively serve as a short term tools, while projects like TOR are long term tools. The former exists for PR, and making concrete treaties. The later exists for building political divisions over longer periods of time which can trigger national instability and crises. See: Arab Spring.
How do you gauge the support for censorship within non
democracies like North Korea especially when opposition to
censorship may be brutally punished?
DPRK regularly has multi-party elections so I think we could gauge how the people vote?
My first point was that you were saying the US is working to bring about regime change in Vietnam, Egypt and Ukraine. I suspect this is not the case for the reasons I gave, but I'd be willing to look at any evidence you have for this.
>DPRK regularly has multi-party elections so I think we could gauge how the people vote?
In a country such as North Korea where even minor disagreements with the government result in torture it seems unlikely to me that a non-secret ballot would be an effective way of gauging public views on controversial issues.
Hrmm, can execute JS in FF's JSON viewer it seems. Still even with JS available there are more steps required to deanonymize.
> This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers
Of course it was. The surface area of browser tech is just so large. We need a subset of html+css and a browser that only renders that with a really simple implementation (plus side, low bandwidth and terminal friendly). Not a full browser with features conditionally disabled. I haven't put enough thought into client-side scriptability so I'd punt on it for now, but I did put thought into other parts the other day [0]. Many onion services don't want all the features of the modern web anyways. The TBB can still exist for users of full sites of course.
I don't know why people are focusing on deanonymization here, once you can run JS, they can just run one of the dozen Firefox 0days they are stockpiling.
If your threat profile involves governments targeting you, this bug is critical, more so than the code execution exploits because these bugs are rarer.
For this issue and for JS execution maybe. But there are so many features in modern browsers that the cat-and-mouse game of waiting for vulns to know you've hit all of the places for fingerprinting and other deanon is untenable. Couple that with extensions TBB bundles by default, e.g. https everywhere, and the surface area is even larger.
TBB has value for general browsing, but secure browsing needs to be by document format as much as implementation. Right now, the only reasonable option for onion services is to have their site browsed via the large, feature-rich bundle. Unfortunately, it requires a good bit of funding to build a document browsing platform of any size so I definitely understand the current practical approach.
That's an interesting explanation. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users." is the explanation provided by Zerodium. End of life? Raise awareness? Sounds like shitty PR to me... There must be other explanations. Anyone has any idea, beyond the one already provided above?
They are in the business of buying and selling any zero-days. Tor browser primary goal is to be secure, unlike any other browser (which may still want to be secure but have many others goals). This zero day isn't exactly one either if you think about it, it only allow to run JS, which is a default feature on any other browser.
So they essentially lose nothing over it. People won't stop using internet and move toward written letters... they will just move toward other browser or update their browser, they will still be using something that Zerodium are buying and selling zero days for.
Strip the javascript engine out of the Tor browser, it has no reason to be there. It beats the purpose of using Tor if you're gonna allow Javascript to run.
It'd be much easier to just strip it all out, despite breaking site support in the process. Especially since Tor is usually used to access hidden services instead of the clearnet.
All that has to happen to fix this vulnerability is to remove support for legacy addons—which is what Firefox Quantum already did.
The old addon system made it far too easy to make catastrophic mistakes like this. Web Extensions, which are an API that was actually designed with security in mind, constitute a huge security improvement.
> This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.
It's a possibility that it has been used. I'm not sure if a government would buy an exploit and not use it before it's patched, unless they couldn't find any use for it. This exploit is different than the one the FBI used on the child porn site though. They'd need to combine it with something that can bypass the Tor Browser's socks5 setting. It would be a much bigger deal if they had an exploit that could do that.
> This exploit is different than the one the FBI used on the child porn site though
I was wondering if this was related to the Playpen case. I thought the FBI refused to release any information on that (and subsequently charged were dropped against several of the people they arrested).
Who has discovered with was the Tor Brower's socks5 setting?
The bounty was specifically targeting Tor Browser on Tails and/or Windows 10. This vulnerability affects the security settings at high, so the payouts were 185k for cross platform RCE, and 250k for cross platform RCE+LPE.
> We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements
If we have to take their words for granted, "many exploits" probably means they have a LPE too.
And when you escalate, you are able to bypass both SOCKS5 and Tails' firewall.
This isn't even "multiple content-types", the value is just malformed. The ";" would normally introduce parameters to the content-type, such as in "text/plain; charset=utf-8". Here, "/json" is just garbage.
It isn't allowed to have multiple content-types. (And it would make no sense.)
My thought was for a "mixed media" like multi-part form data. Maybe the response would be text/plain; text/json (or shortened because the first one is text/plain to just /json).
I will do mental gymnastics to try and figure out if something was meant to be a certain way or not.
You basically add some anonymity but change your threat model to include an extremely high likelihood of injection attacks, and practically provoke every state level agency to monitor you, where they might have previously ignored you.
This was the pgp problem in the 90s where you would essentially be sending a tracer round across the network saying, "hey everyone, these two people are using encryption!"
Tor is a great effort and it gets people involved in privacy, but onion routing to exit nodes on the internet has diminishing efficacy, and I think everyone needs a clearer articulation of what and whose problem it solves.