Slashdot Mirror
TOR Wants You To Stop Using Windows, Disable JavaScript
itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."
Firefox allows it, as does every major browser. But it is not the default, because it is incredibly inconvenient considering how many websites rely on it. There are tools to make it easier for Firefox and Chrome but it is still a bit of a bother.
FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'
Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?
I deny that I have not avoided attaining the opposite of that which I do not want.
Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.
The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.
People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.
The G
Firefox is apparently opting to remove the option from their settings and for a good reason - no one wants to globally disable JS these days. A default off with allowed sites is workable though, but there are extensions like NoScript to add that functionality.
This is incorrect, the latest versions of firefox do not allow javascript to be turned off. It is a valid complaint
If an experiment works, something has gone wrong.
It's trivial to use Tor in a secure fashion. In fact, if you need the security provided by Tor, chances are you're better off doing it this way instead:
1) Download Tails
2) Burn to CD
3) Boot disk
4) Use Tor
How hard was that?
(Personally, I use IE5 and Windows 2000 for Tor. Nobody's going to try to exploit that... and yes, I'm kidding.)
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
URL about:config then enter 'javascript.enabled' into the search bar. Double click that setting in the list below to toggle back and forth.
This is incorrect, the latest version of firefox do allow javascript to be turned off. It is an invalid complaint.
Don't give me bullshit about it not being in the "UI" either, since I have a bookmark with the address about:config?filter=javascript.enabled right there in my bookmarks toolbar.
To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.
Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
completely different system, called Java.
They were developed completely separately, by different companies, for different purposes, and based on different principles.
It's exactly as if the BETAMAX were renamed DroidVideo.
They're being rather disingenuous too: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
Since the vulnerability isn't limited to Windows machines, it's just that they believe that only Windows machines were targeted.
WHO IS AFFECTED:
In principle, all users of all Tor Browser Bundles earlier than
the above versions are vulnerable. But in practice, it appears that
only Windows users with vulnerable Firefox versions were actually
exploitable by this attack.
(If you're not sure what version you have, click on "Help -> About
Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])
To be clear, while the Firefox vulnerability is cross-platform, the
attack code is Windows-specific. It appears that TBB users on Linux
and OS X, as well as users of LiveCD systems like Tails, were not
exploited by this attack.
IMPACT:
The vulnerability allows arbitrary code execution, so an attacker
could in principle take over the victim's computer. However, the
observed version of the attack appears to collect the hostname and MAC
address of the victim computer, send that to a remote webserver over
a non-Tor connection, and then crash or exit [8]. The attack appears
to have been injected into (or by) various Tor hidden services [9],
and it's reasonable to conclude that the attacker now has a list of
vulnerable Tor users who visited those hidden services.
We don't currently believe that the attack modifies anything on the
victim computer.
So what makes them so sure that only Windows machines were targeted? Sure only paranoid people would think that way, but lot of people using Tor are paranoid, and many using Tor SHOULD be that paranoid.
NoScript works for me...
This is a sure way to reveal your IP address to an attacker. The only proxy switcher ever deemed safe to use with Tor was TorButton... the rest allowed cache and history-based attacks. Even so, Tor project recommends the entire browser now be customized for Tor and not used for any in-the-clear web access.
So why do I have Firefox 22 with an enable/disable Javascript option? I downloaded this from Mozilla so you are saying they built a special version just for me? How nice of them.. Or perhaps Firefox still allows the user to enable/disable Javascript at this time.
You'll be unpleasantly surprised when you download Firefox 23 and find out it's gone. Which was released today, btw.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
And that's an important point a lot of people, and most of the news media, have gotten wrong about this story. Download any TorProject Browser and NoScript is included by default and specific browser settings changed. As is it's relatively safe to use but if users even temporarily disable those protection measures because they can't do something like download a file or participate in some commenting page because a script is being prevented from running than it's not a fault with Tor, it's a user issue. TorProject's site has always had a very clearly warning for their users about javascript as being a security issue to pay attention to.
Take a look at all the certificate authorities your browser trusts sometime. Any one of those can issue a certificate for ANY website, not just those in the area where that authority. If any ONE of those authorities issues a certificate for, say, the NSA, then they can MITM your communication with any website if they're in a position to do so (and the NSA most definitely is), regardless of that website's original certificate. By default, the browser doesn't give a shit if the certificate changes. All of this makes SSL useless against a determined attacker.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.