Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 5, 2013 23:29 UTC (Mon) by bjacob (guest, #58566)
Parent article: Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

It is worth noting that the exploit was specifically in the outdated Firefox 17 version; while a branch of Firefox 17 is still maintained as part of the "ESR" long-term support program, the point of ESR is not to maximize security --- it is rather to accomodate the needs of organizations that prefer a slower pace of releases --- and Mozilla has explicitly communicated that ESR releases would be *less* secure than standard ones, because the realities (complexity vs pace of change vs attack surface) of modern browsers make it so that the more frequently updated branch is also the more secure one.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 5, 2013 23:36 UTC (Mon) by bjacob (guest, #58566) [Link] (9 responses)

Oh, and in fact, even the ESR branch was already secure in this case --- it had received the backport of the security fix as part of the ESR 17.0.7 release on June 25.

http://www.mozilla.org/security/announce/2013/mfsa2013-53...

So was Torbrowser using an *unsupported* Firefox release until now ?! That seems to defeat the point of a would-be anonymizing browser.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 5, 2013 23:49 UTC (Mon) by JoeBuck (subscriber, #2330) [Link] (2 responses)

Attackers are going to focus on whatever version Tor bundles, since non-expert Tor users are going to use the setup that makes it easy.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 5, 2013 23:53 UTC (Mon) by k8to (guest, #15413) [Link] (1 responses)

In fact, the TOR project explicitly recommends using the bundle because of the nontrivial nature of ensuring nothing exposes the browser.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 17:54 UTC (Tue) by rahvin (guest, #16953) [Link]

This is very important and I'm glad you posted it. Those Syrian rebels using TOR need to understand that this is a non-trivial task, without some custom configuring you can read cookies and other information that can identify the user. If you use the TOR browser bundle at start up it checks for a new version, it also provides no-script by default and setups all the little configuration details to ensure there is no access to cookies or other identifying information. The rebels lives depend on their identities not being revealed and they aren't the only group of people in this world that need the protection of anonymous browsing.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 0:53 UTC (Tue) by cesarb (subscriber, #6266) [Link] (1 responses)

> So was Torbrowser using an *unsupported* Firefox release until now ?

No.

https://blog.torproject.org/blog/tor-security-advisory-ol...

If that blog post says the truth (and I have no reason to doubt it), and I am reading it correctly, a fixed version had already been released more than a month ago.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 1:10 UTC (Tue) by bjacob (guest, #58566) [Link]

Great, thanks for the link. That clarifies it.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 6:08 UTC (Tue) by gmaxwell (guest, #30048) [Link] (3 responses)

And TBB is ESR at least in part because of the non-trivial cost in carrying around the patches required to close information leaks in the browser and otherwise harden it.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 6:51 UTC (Tue) by pabs (subscriber, #43278) [Link] (2 responses)

It would be awesome if TBB were merged into the Firefox private browsing mode.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 9:53 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (1 responses)

The stance from browser vendors is that the "private" mode is only supposed to prevent embarrassing scenarios where, e.g. autocomplete takes your daughter to your favourite porn site, or your spouse accidentally opens a tab with all the hotel details for the surprise anniversary weekend away you just booked. The messages displayed when you activate this mode in various popular browsers align with that.

It's like password masking, using rot13 on the stored password doesn't make it difficult for bad guys to find the original password but it means someone who happens to glance at the config file is much less likely to come away with "MoonMoonForPresident" seared into their memory. Or think of it like the lock on a typical bathroom door. Can I open the lock from the "wrong" side with the tools in my pocket? Yes I can. But people don't, because they don't want to walk in someone using the toilet, the feeble lock is a prompt to remind us of a social convention and nothing more.

TOR is a big deal, to get any benefit users have to understand what it is and is not doing, and what that means for how they use a browser. Just labelling it "Super private mode" would be false advertising. Not to mention that then obviously TOR will be incredibly slow for everyone so they'll presumably switch it back off again and pronounce the whole thing a "waste of time".

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 10:01 UTC (Tue) by pabs (subscriber, #43278) [Link]

Looks like Mozilla are considering integrating the TBB into Firefox now:

https://twitter.com/BrendanEich/status/364265592112414720