Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Browser Security Under Scrutiny

Posted by Soulskill on from the shouldn't-we-be-funding-this-better dept.

msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.

47 of 80 comments (clear)

  1. Why not work with Mozilla by Virtucon · · Score: 4, Interesting

    Why not work with Mozilla to address the issues? What about Chromium? I'd put the brakes on anything Google does with Chrome. Their ever-shifting policies have meant that it's no longer a preferred solution to our clients and to my customers. These aren't minor issues either since Google has been building their own walled garden, something a lot of FOSS and Commercial Software organizations won't support. Firefox at least for now, is void of these issues and is much friendlier to the community as a whole.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Why not work with Mozilla by Anonymous Coward · · Score: 1, Informative

      They already do work with Mozilla.

    2. Re:Why not work with Mozilla by Anonymous Coward · · Score: 1, Insightful

      Firefox at least for now, is void of these issues and is much friendlier to the community as a whole.

      As somebody who's been involved in Netscape/Mozilla/Firefox development since the 1990's, I can't think of many statements that are more false than this one. Mozilla is hostile to users in general and continually ignores the most popular bugs in order to implement stupid imitation-Chrome features that are unpopular with the users. In fact, they wear it as a badge of honor like they're flipping us the bird and grinning about it.

    3. Re:Why not work with Mozilla by wbr1 · · Score: 5, Interesting
      Chrome/chromium on windows uses the Windows Crypto API to install and verify certs. This bypasses the TOR proxy and allows for a MITM attack with no user knowledge. Changing this requires more work then what they have to do with FF.

      My questions are thus... why not move to a model where the entire OS is forced through the tor proxy, This could be done with the use of a dummy network adapter and disabling the current adapter while tor is in use. Yes it would likely break certain OS features during that time, but there it is.

      TFA also discusses putting a dumbed down security 'slider' on the browser, but still the default is to allow JIT/JS. Currently you have noscript installed, but not turned off in a fresh install. A few lines of JS is enough to identify an IP or fingerprint more of the system. The default should be most secure with warnings to open it up. Period. At install time you already explin that things do not work like you are used to and then allow the user to decide to reduce security. Anything else provides an illusion of security to a naive user, but still allows an adversary easy means of detection.

      --
      Silence is a state of mime.
    4. Re:Why not work with Mozilla by Anonymous Coward · · Score: 2, Informative

      Mozilla doesn't care. They are actively undermining features needed to use Tor safely (and, arguably, to browse at all safely).

      Firefox has lost the ability to disable javascript;

      Let's see.. *clicks on about:config?filter=javascript.enabled in my bookmarks* Nope, still able to do that.

        it's gained tons of privacy-violating tracking features, some of which report every URL you visit to Google;
      it keeps cookies forever by default; and it's gaining more and more browser fingerprinting sources with every release.

      Nope again, and defaults are easy to change when you're building your own TOR browser.
      There's plenty of room elsewhere in Firefox for improvement, and patches are welcome, so there's really no need for this FUD.

    5. Re:Why not work with Mozilla by Anonymous Coward · · Score: 1

      To in response to your first comment Tails is the answer. Like the TorBrowser bundle does for Tor itself in the browser space, Tails does to Tor from a wider space (everything is dropped or forced through Tor). Now you might make the argument that Tails goes too far in that it's technical. That same thing can be said for your comment on the slider option defaulting to a less than perfect setting. However if you don't do that then you'll make it even more difficult for people to adopt it. This also has a negative impact on the ability of Tor to anonymise its users. Without sufficient users you can more easily identify the users who do use it. Essentially the argument is you have to compromise in one place or the other and neither is ideal, but at least with the one your inclusive of more users.

    6. Re:Why not work with Mozilla by Carnildo · · Score: 1

      I'm curious how you can get an IP address with a bit of js.

      Perform an AJAX "get" on http://www.whatismyip.com/ or any other IP lookup site.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    7. Re:Why not work with Mozilla by AHuxley · · Score: 1

      The ability to fool a Tor user and browser into giving up an ip has been in the press over the years.
      It can be as simple as DNS to an unexpected port, ftp in the distant past to proxy not been filled in, to more unique application related issues with a browser.
      In the end the ip drops out and user can then be tracked over the net as expected. Back in 2007 ideas around eg an exit server looking for key words would get a real ip to users browser ie user did not disable Java.

      --
      Domestic spying is now "Benign Information Gathering"
    8. Re:Why not work with Mozilla by mcrbids · · Score: 2

      My questions are thus... why not move to a model where the entire OS is forced through the tor proxy, This could be done with the use of a dummy network adapter and disabling the current adapter while tor is in use. Yes it would likely break certain OS features during that time, but there it is.

      This is a bit like plugging a power strip into itself. It might seem self evident why that should work, but alas, it does not. /s

      How do you think TOR communicates with the Internet at large, if not using the OS network stack? And if you coopt that stack, how, pray tell, do you expect TOR to be able to communicate with the TOR nodes?

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    9. Re:Why not work with Mozilla by Skuto · · Score: 1

      As an anonymous troll that is an authority on the subject, I think the parent is full of shit.

    10. Re:Why not work with Mozilla by Skuto · · Score: 1

      PaleMoon is just a rebranded Firefox 24 ESR.

    11. Re:Why not work with Mozilla by Skuto · · Score: 1

      You don't have to. The browser is fully open source. That's why they're actually comparing vs Chromium, not Chrome. But Chromium is missing quite a few features compared to Chrome like H264 support.

    12. Re:Why not work with Mozilla by tomrittervg · · Score: 1

      Would you email me pointers to the Commercial and FOSS ones? I might try and look into them https://ritter.vg/contact.html

    13. Re:Why not work with Mozilla by EETech1 · · Score: 1

      If there was ever a reason to have the device driver firmware loaded by the OS, instead of being stored on the device in flash, I think this is it!

      Otherwise, just pwn the network card, and you can send out digital breadcrumbs forever.

      At least you can include firmware you think you can trust.

  2. Findings... by Em+Adespoton · · Score: 1

    Address Space Layout Randomization is disabled on Windows and Mac

    Due to our use of cross-compilation and non-standard toolchains in our reproducible build system, several hardening features have ended up disabled. We have known about the Windows issues prior to this report, and should have a fix for them soon. However, the MacOS issues are news to us, and appear to require that we build 64 bit versions of the Tor Browser for full support. The parent ticket for all basic hardening issues in Tor Browser is bug #10065.

    Participate in Pwn2Own

    iSEC recommended that we find a sponsor to fund a Pwn2Own reward for bugs specific to Tor Browser in a semi-hardened configuration. We are very interested in this idea and would love to talk with anyone willing to sponsor us in this competition, but we're not yet certain that our hardening options will have stabilized with enough lead time for the 2015 contest next March.

    Test and recommend the Microsoft Enhanced Mitigation Experience Toolkit on Windows

    The Microsoft Enhanced Mitigation Experience Toolkit is an optional toolkit that Windows users can run to further harden Tor Browser against exploitation. We've created bug #12820 for this analysis.

    Replace the Firefox memory allocator (jemalloc) with ctmalloc/PartitionAlloc

    PartitionAlloc is a memory allocator designed by Google specifically to mitigate common heap-based vulnerabilities by hardening free lists, creating partitioned allocation regions, and using guard pages to protect metadata and partitions. Its basic hardening features can be picked up by using it as a simple malloc replacement library (as ctmalloc). Bug #10281 tracks this work.

    1. Re:Findings... by Em+Adespoton · · Score: 3, Interesting

      One question I have is:
      They say ASLR is disabled, and then they recommend using the product with EMET. However, if ASLR is disabled, doesn't that mean that EMET won't be compatible? EMET requires a number of features to be handled correctly before it can be used.

      Seems to me that what really has to happen (in this order) is:

      1) Mozilla fixes jemalloc or just replaces it with something like PartitionAlloc, fixing these issues for ALL variants that depend on it.

      2) TorBrowser takes the Firefox code and recompiles the source as a single package for each target platform, and feeds THAT into its reproducable build system, instead of using standard cross-compile methods. No library loads, etc, just build a binary blob + chrome. This should be able to work under ASLR, if they do it right.

      3) Fix whatever's left that prevents TorBrowser running alongside EMET. However, I think after 1 and 2 are done, there shouldn't be a problem here. Some of EMET's features are already baked in to OS X, so if the above issues are fixed, OS X should be in a stable state as well.

      4) Assuming 1 and 2 are listed as priorities for both OTF and Mozilla, this should be doable by sometime in Jan/Feb 2015. Probably the best route would be to start a kickstarter ending at sometime in Feb to raise money for a pwn2own slot. If they don't make the deadline in tightening things up, pledges are dropped and nobody loses. If they DO make the deadline, they get the funds, and contestants will proceed to punch holes in the browser. Mozilla will also benefit from this attack, and should probably contribute to said kickstarter.

    2. Re:Findings... by vux984 · · Score: 1

      They say ASLR is disabled

      I *think* what they are saying is that:
      ASLR is disabled in their build of the software. (It must be enabled via compiler option).

      However, ASLR is enabled in windows itself.

      from Microsoft:

      http://www.microsoft.com/secur...

      Address Space Layout Randomization (ASLR): In older versions of Windows, core processes tended to be loaded into predictable memory locations upon system startup. Some exploits work by targeting memory locations known to be associated with particular processes. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process. The combination of ASLR and DEP creates a fairly formidable barrier for attackers to overcome in order to achieve reliable code execution when exploiting vulnerabilities.

      ASLR was introduced in Windows Vista and has been included in all subsequent releases of Windows. As with DEP, ASLR is only enabled by default for core operating system binaries and applications that are explicitly configured to use it via a new linker switch.

      As for EMET and ASLR:

      Basically EMET can force recent versions of Windows to use ASLR even on applications that don't explicitly build with support for it:

      http://krebsonsecurity.com/tag...

      EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, youâ(TM)ll need to have Microsoftâ(TM)s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

    3. Re:Findings... by Em+Adespoton · · Score: 1

      Ah; so they're not saying that they disable ASLR, they're just saying they aren't baking it in (which EMET can do for free).

      That makes much more sense if it's the case. I never use TorBrowser on Windows, so I haven't seen how it actually behaves.

    4. Re:Findings... by tomrittervg · · Score: 1

      The fact that ASLR is not universally applied is a bug, full stop. It needs to be fixed ASAP.

      Once you do *that*, exploring running TBB with EMET is worthwhile, as EMET may make exploitation more difficult. I'm not certain that it would actually make it difficult enough for Tor Project to try and get non-technical people to use it, but it's worth exploring IMO.

      To your points: PartitionAlloc is independent of ASLR. The deterministic build system relies on cross-compiling on Linux for Windows/Mac. TBB can run under EMET now but it may be unstable. I do not think a Kickstart-funding of Pwn2Own is worthwhile. I also don't think a Pwn2Own on a TBB that doesn't have a lot of hardening is worthwhile - it's just too soft a target.

    5. Re:Findings... by Em+Adespoton · · Score: 1

      Thanks! This is excellent info. I do think that a Pwn2Own on TBB would be useful either way -- either it's hardened a lot and fares well, thus getting good publicity as a private AND secure browser, or the glaring bugs are fixed, it fails miserably in the P2O, and the visibility is improved that while it may be somewhat anonymous, it is by no means secure, and people pitch in to help fix that. Seems like a win-win to me, as long as donors are footing the prize bill.

  3. Re:Not surprising... by Kazoo+the+Clown · · Score: 1

    The FBI and NSA knew it was shit years ago.

    Just sayin...

    So did I. I gave up in Firefox once they moved away from the "less is more" school of design, several years ago. Same reason I gave up on Netscape before that-- creeping featurism. What I want in a browser is lean and mean. REALLY mean. The more complicated a browser is, the bigger the risk of security flaws.

  4. "Limitations on proxy support"? by The+MAZZTer · · Score: 2

    I assume they mean that it hooks into the OS-level proxy settings. That is a good thing, I hate configuring my proxy settings over and over and over for every application when the OS already has a setting for it.

    But it isn't a limitation, last I checked there was a command line parameter for forcing use of a proxy. So just make a launcher app that forces Chrome to use Tor. You should be able to even launch a Tor-using Chrome side-by-side with a non-Tor Chrome if you set it up right (using --user-data-dir to make a new Chrome profile and instance instead of using a local user profile and instance).

    1. Re:"Limitations on proxy support"? by Bite+The+Pillow · · Score: 2

      Remember the audience. This was written for people who want to know about browsers and Tor. Not for people who want usability.

      Specifically, "several bugs required for basic proxy-safe Tor support for Google Chrome's Incognito Mode ended up blocked for various reasons."

      So even your command line parameter thing is irrelevant.

      Which brings me to this:

      So just make a launcher app that forces Chrome to use Tor. You should be able

      Stop right there. Everyone who ever said "it's as easy as..." or some variation has been wrong. There are bugs in Chrome, which need to be fixed, but aren't going to because they are blocked by some other feature/problem/request.

      So let me re-phrase:

      But it isn't a limitation because I don't know what I'm talked about, last I checked the list of command-line arguments there was a command line parameter for forcing use of a proxy. So just resolve the blocks for the bugs that aren't fixed, then fix the bugs, then make a patch set that has to be maintained for Chrome for which the baseline effort will be 3-5x Firefox, then make a launcher app that forces Chrome to use Tor.

      You should be able to even [do more things once these things are un-blocked and fixed]".

  5. Re:Not surprising... by Applehu+Akbar · · Score: 5, Insightful

    I feel the same way about Tor as I do about DuckDuckGo: if I were paranoid enough to use it, I would be paranoid enough to wonder how it gets along without a business model.

  6. Re:Not surprising... by neminem · · Score: 1

    I also feel the same way about Tor as I do about DuckDuckGo: great ideas in theory, but way too much of a pain to use, given that I don't really have anything terribly important to hide.

  7. Re:Not surprising... by Anonymous Coward · · Score: 1

    I was curious so I looked for an answer.

    https://duck.co/help/company/advertising-and-affiliates

  8. The report doesn't say "use Chrome" by roca · · Score: 3, Informative

    Maybe I'm missing something, but I've read the whole report and I can't find anything that says "don't favor Firefox as a baseline for Tor, rather Google Chrome".

    1. Re:The report doesn't say "use Chrome" by Anonymous Coward · · Score: 3, Informative

      They don't. They simply acknowledge that Chrome has a safer memory deallocator, and that the Chrome team has some put some actual effort into security in their browser.

      There is just an active effort now to discredit Firefox at every possible opportunity. It has cropped up in pretty much every browser discussion, at pretty much every opportunity. For every negative point that might have some merit or at least tries to be level-headed, there are two or more that blindly paint Firefox and Mozilla in a negative light. They all follow the usual "us vs them" mentality and chant a mantra that nothing good has happened to Firefox since version 3, that Mozilla is doing nothing but ignoring users, and so forth.

      It's actually getting rather disconcerting. It reminds me of the period where the anti-Internet Explorer hype machine kicked into overdrive. Except this time it's almost entirely unwarranted.

    2. Re:The report doesn't say "use Chrome" by Skuto · · Score: 3, Informative

      I was wondering the same thing. The only thing the report says is "implementing security features that Chromium has and work in Firefox would help Tor".

      The headline is a lie.

    3. Re:The report doesn't say "use Chrome" by Skuto · · Score: 2

      The sheep (or astroturfers, can't tell) have decided that Chrome is the cool thing and everything else must die, facts be damned.

    4. Re:The report doesn't say "use Chrome" by Anonymous Coward · · Score: 1

      They didn't even mention the process-model of Firefox. Which would be the first thing a layman would mention. Which at least in theory should make Chromium more secure.

      Not that they really need to replace Firefox in the long run for that. Because Electrolysis, as the multi process Firefox project is called, is sheduled to go in at the end of this year or at the start of next year.

    5. Re:The report doesn't say "use Chrome" by Skuto · · Score: 2

      It's been in Nightly for a while. I'm posting using it. The only thing that doesn't work well for me is...Gmail.

      There's also full sandboxing support, but you need a compile time flag for it.

    6. Re:The report doesn't say "use Chrome" by Anonymous Coward · · Score: 1

      I believe I read somewhere multi-process Firefox is targeted for Firefox 36. That is why I mentioned end of the year.

    7. Re:The report doesn't say "use Chrome" by doom · · Score: 1

      I know this is kind of wild and crazy, but could it be that Firefox is developing this weird reputation of egocentric designers intent on pissing-off long term users because there's actually some truth in it?

  9. links2 -g by Rinikusu · · Score: 1

    And seriously, if you can't make your site look good in links, I don't need you. Wait, /. looks like shit on links... Dammit.

    --
    If you were me, you'd be good lookin'. - six string samurai
  10. Re:Christ..Chrome!?!? by EmagGeek · · Score: 1

    Why the hell would you want to?

  11. If AC PP is actually a pre-mozilla developer... by Anonymous Coward · · Score: 1

    Dating back to the *90s*, and not just as a web developer/end user, I imagine they are *INTIMATELY* familiar with Netscapes culture, which judging by my experiences over the years is anecdotally true. They significantly bloated the netscape browser code before releasing it to the community. They made Mozilla Browser a joke until firefox came out and they jumped their development to the new 'lean browser', neglecting their old all-in-one browser, which in turn IMPROVED after their focus shifted from it. Furthermore they took firefox, originally an extemely lithe, low memory, stable platform, and basically ruined it. The saddest part about that being that extensions came from there, eventually being backported to seamonkey (former mozilla suite) and actually performing as well if not better with the plugins there than in firefox now.

    The state of mozilla development has been a joke since the beginning. They *STILL* aren't cash-flow positive without google's bri^H^H^Hcontributions, and they seem inclined to spend too much time on new features and not enough time fixing fundamental leaks and flaws in their software dating back to when dos based security-free windows was still the dominant user platform!

  12. "...access to private bugs..." by storkus · · Score: 1

    Wait, so Gecko is full of ***KNOWN*** "zero" days--zero in the sense we don't know about them, but Mozilla does? Please tell me I'm reading that wrong!

    1. Re:"...access to private bugs..." by Skuto · · Score: 2

      Security bugs filed against Firefox are private until a new release is out to the users. If the issue is critical (looks like it can be exploited), it will be in a x.0.1 update. If it isn't, then it will be in n+1.

      Another way of stating what you said is "if Firefox engineers find a way to 0-day their own browser, they fix it before plasting the information on how to do it all over the internet".

  13. Re:Not surprising... by ls671 · · Score: 1

    I agree, sometimes it is better to hide in plain site than hide where you could be expected to hide.

    --
    Everything I write is lies, read between the lines.
  14. Re:Not surprising... by ls671 · · Score: 1

    sight

    --
    Everything I write is lies, read between the lines.
  15. That's not what it says at all vs Chrome by Skuto · · Score: 3, Informative

    "The Chrome Security team has been a source of innovation in the browser security space. Tor Browser Bundle is based on Firefox and thus inherits progress made by Mozilla automatically. While improvements in Chrome may not be appropriate for Firefox, they could be integrated in Tor Browser Bundle. In a best case scenario, members of the Chrome Security team may be allowed to work with the Tor Project on these changes."

    Basically it's saying: Chrome is also doing good stuff, combine it with the stuff you get from Mozilla for a better result.

  16. Re: Not surprising... by Skuto · · Score: 1

    Palemoon is just Firefox 24 ESR, which is coincidentally what the Tor Browser Bundle used to be based on.

  17. What about.. by mrmangosir559 · · Score: 1

    What about when Google adds in some code by request of NSA?

  18. Re:Not surprising... by tomrittervg · · Score: 1

    It's all State Department grants and the like for Internet Freedom. They also release all their financials: https://blog.torproject.org/bl...

  19. Re:The report doesn't say by tomrittervg · · Score: 1

    Agreed, we don't say 'Use Chrome', just that Chrome has a lot of security stuff we wish was in Firefox. We explicitly did not investigate FF sandboxing/multi-processing (and I thought we said that we explicitly excluded it) because we're not going to be able to make significant headway on that in 6 weeks while FF has been working on it for a while.

  20. Re: by tomrittervg · · Score: 1

    What Skuto said, except "are private until a new release is out to the users" is really "6 to 12 months or more down the line" because (I think) they affect the Firefox OS core also which is on a much different schedule. You can actually go through all the bugs here: https://github.com/iSECPartner... but most of them will in fact be 'private'.