Tor Browser Security Under Scrutiny

msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.

Why not work with Mozilla

[Virtucon]

Why not work with Mozilla to address the issues? What about Chromium? I'd put the brakes on anything Google does with Chrome. Their ever-shifting policies have meant that it's no longer a preferred solution to our clients and to my customers. These aren't minor issues either since Google has been building their own walled garden, something a lot of FOSS and Commercial Software organizations won't support. Firefox at least for now, is void of these issues and is much friendlier to the community as a whole.

Re:Why not work with Mozilla

[wbr1]

Chrome/chromium on windows uses the Windows Crypto API to install and verify certs. This bypasses the TOR proxy and allows for a MITM attack with no user knowledge. Changing this requires more work then what they have to do with FF.

My questions are thus... why not move to a model where the entire OS is forced through the tor proxy, This could be done with the use of a dummy network adapter and disabling the current adapter while tor is in use. Yes it would likely break certain OS features during that time, but there it is.

TFA also discusses putting a dumbed down security 'slider' on the browser, but still the default is to allow JIT/JS. Currently you have noscript installed, but not turned off in a fresh install. A few lines of JS is enough to identify an IP or fingerprint more of the system. The default should be most secure with warnings to open it up. Period. At install time you already explin that things do not work like you are used to and then allow the user to decide to reduce security. Anything else provides an illusion of security to a naive user, but still allows an adversary easy means of detection.

Re:Findings...

[Em+Adespoton]

One question I have is:
They say ASLR is disabled, and then they recommend using the product with EMET. However, if ASLR is disabled, doesn't that mean that EMET won't be compatible? EMET requires a number of features to be handled correctly before it can be used.

Seems to me that what really has to happen (in this order) is:

1) Mozilla fixes jemalloc or just replaces it with something like PartitionAlloc, fixing these issues for ALL variants that depend on it.

2) TorBrowser takes the Firefox code and recompiles the source as a single package for each target platform, and feeds THAT into its reproducable build system, instead of using standard cross-compile methods. No library loads, etc, just build a binary blob + chrome. This should be able to work under ASLR, if they do it right.

3) Fix whatever's left that prevents TorBrowser running alongside EMET. However, I think after 1 and 2 are done, there shouldn't be a problem here. Some of EMET's features are already baked in to OS X, so if the above issues are fixed, OS X should be in a stable state as well.

4) Assuming 1 and 2 are listed as priorities for both OTF and Mozilla, this should be doable by sometime in Jan/Feb 2015. Probably the best route would be to start a kickstarter ending at sometime in Feb to raise money for a pwn2own slot. If they don't make the deadline in tightening things up, pledges are dropped and nobody loses. If they DO make the deadline, they get the funds, and contestants will proceed to punch holes in the browser. Mozilla will also benefit from this attack, and should probably contribute to said kickstarter.

Re:Not surprising...

[Applehu+Akbar]

I feel the same way about Tor as I do about DuckDuckGo: if I were paranoid enough to use it, I would be paranoid enough to wonder how it gets along without a business model.

The report doesn't say "use Chrome"

[roca]

Maybe I'm missing something, but I've read the whole report and I can't find anything that says "don't favor Firefox as a baseline for Tor, rather Google Chrome".

Re:The report doesn't say "use Chrome"

They don't. They simply acknowledge that Chrome has a safer memory deallocator, and that the Chrome team has some put some actual effort into security in their browser.

There is just an active effort now to discredit Firefox at every possible opportunity. It has cropped up in pretty much every browser discussion, at pretty much every opportunity. For every negative point that might have some merit or at least tries to be level-headed, there are two or more that blindly paint Firefox and Mozilla in a negative light. They all follow the usual "us vs them" mentality and chant a mantra that nothing good has happened to Firefox since version 3, that Mozilla is doing nothing but ignoring users, and so forth.

It's actually getting rather disconcerting. It reminds me of the period where the anti-Internet Explorer hype machine kicked into overdrive. Except this time it's almost entirely unwarranted.

Re:The report doesn't say "use Chrome"

[Skuto]

I was wondering the same thing. The only thing the report says is "implementing security features that Chromium has and work in Firefox would help Tor".

The headline is a lie.

That's not what it says at all vs Chrome

[Skuto]

"The Chrome Security team has been a source of innovation in the browser security space. Tor Browser Bundle is based on Firefox and thus inherits progress made by Mozilla automatically. While improvements in Chrome may not be appropriate for Firefox, they could be integrated in Tor Browser Bundle. In a best case scenario, members of the Chrome Security team may be allowed to work with the Tor Project on these changes."

Basically it's saying: Chrome is also doing good stuff, combine it with the stuff you get from Mozilla for a better result.