Security researcher Neal Krawetz has published technical details of two vulnerabilities impacting the Tor network and the Tor browser. The expert also intends to disclose information about at least three alleged zero-day vulnerabilities in Tor. One problem is showing the real IP address of the Tor servers, he said.
The first problem allows companies and internet service providers to block users from connecting to the Tor network by scanning network connections for "a distinct packet signature" that is unique to Tor traffic. The package can be used to block the initiation of Tor connections and completely ban the use of Tor.
Like the first vulnerability, the second one allows network operators to detect Tor traffic. However, this problem can be used to detect indirect connections. Users make similar connections to Tor bridges when companies and ISPs block direct access to the Tor network. Connections to Tor bridges can be easily discovered using a similar technique to track specific TCP packets.
The reason why the researcher is publishing these issues in Tor is that he believes that the Tor Project does not take the security of its networks, tools, and users seriously enough. The security researcher cites previous incidents when he tried to report bugs to the Tor Project only to be told that they were aware of the issue, working on a fix, but never actually deploying said fix.
"I'm giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything. I'm holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days”, — Kravetz said.
The Tor Project responded to the researcher's blog posts. According to the Tor Project, they are aware of these problems, but they differ in the level of threats they pose to users, and they supposedly cannot be exploited at scale.