This week, cyber security expert Neal Krawetz, who manages several Tor nodes himself, released details of two zero-day vulnerabilities affecting the Tor network itself and the Tor Browser.
The researcher says that the Tor developers have repeatedly refused to fix the problems he found, so he decided to make the vulnerabilities public. Worse, Kravets is promising to release three more 0-day bugs shortly, one of which could be used to reveal the real IP addresses of Tor servers.
First 0-day problem the specialist described in his blog on July 23, 2020. In this article, he discussed how companies and ISPs can block users from connecting to the Tor network. To do this, you only need to scan network connections for a characteristic packet signature unique to Tor traffic.
Second 0-day vulnerability Kravets described in a blog post today, July 30, 2020. The second bug also allows network operators to detect Tor traffic. But if the first problem can be used to detect direct connections to the Tor network (to the Tor guard nodes), then the second vulnerability can be used to detect indirect connections. These are the connections that users make to the Tor bridges.
Let me remind you that bridges act as a kind of proxy, transferring the connection from the user to the Tor network itself. Since they are a highly sensitive part of the Tor infrastructure, the list of bridges is constantly updated to make it harder for providers to block them. And Kravets writes that connections to Tor bridges can be easily discovered using the TCP packet tracing technique.
“After my previous blog post and this one, you have everything you need to enforce policy (blocking Tor) with real-time packet inspection. You can prevent all your users from connecting to Tor, regardless of whether they are directly connected or using a bridge, ”the expert writes.
The specialist also says that, in his opinion, the Tor Project engineers do not take the security of their networks, tools and users seriously enough. He refers to his previous experience and numerous attempts to inform the Tor developers about various bugs, which in the end were never fixed. Among them:
- a vulnerability that allows sites to detect and recognize Tor browser users by the scrollbar width that developers are aware of since June 2017;
- a vulnerability that allows you to detect Tor bridges using their OR (Onion routing) port, discovered eight years ago;
- vulnerability allowing to identify SSL library used by Tor servers, found on December 27, 2017…
In early July 2020, Kravets announced that he had made the decision to finally abandon cooperation with the Tor Project and now intends to talk about the problems publicly.
I’m giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything.
I’m holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days.
– Dr. Neal Krawetz (@hackerfactor) June 4, 2020