Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Fights FBI In Court For Details On Tor Browser Hack (helpnetsecurity.com)

Posted by BeauHD on from the help-me-Obi-Wan-Kanobi dept.

An anonymous reader writes from a report on Help Net Security: Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser hack with them, before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public. The lawsuit in question is against Jay Michaud, a Vancouver (Wa.) teacher that stands accused of accessing and downloading child pornography from a website on the Dark Web. The FBI used a "network investigative technique" (NIT) to discover the IP address and identity of the defendant, which was only possible from a vulnerability in the Tor Browser. Why does Mozilla care to learn about the vulnerability? "The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser," Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, explained.

1 of 58 comments (clear)

  1. Re:Maybe a civil suit by tlhIngan · · Score: 3, Informative

    The FBI is saying they actively exploit a flaw in Firefox but won't say what that flaw is. This course of action actively deters people from using firefox. Mozilla can't dispute the FBIs claim since there is no evidence given. If the FBI won't disclose the vulnerability I sure hope they can sued for libel since that's exactly what is left.

    It's probably sitting in their security Bugzilla, to be honest. Firefox is a security nightmare - so much so that Pwn2Own this year decided to not accept Firefox flaws anymore - Firefox is too easy a target.

    The major web browsers have all started shedding privileges when they run - especially on Windows with its low integrity mode where it's restricted in its interactions with users and other windows and even the filesystem (it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process. Any drive-by downloads are stuck in the temporary location, and any regular download triggers the high integrity process which cannot be interacted with by the low integrity process.).

    Firefox doesn't exploit those features at all. Chrome does as well.