31 July 2020

Researcher has published details of multiple Tor security issues


Researcher has published details of multiple Tor security issues

Security researcher Neal Krawetz has published technical details of two vulnerabilities impacting the Tor network and the Tor browser. The expert also intends to disclose information about at least three alleged zero-day vulnerabilities in Tor. One problem is showing the real IP address of the Tor servers, he said.

The first problem allows companies and internet service providers to block users from connecting to the Tor network by scanning network connections for "a distinct packet signature" that is unique to Tor traffic. The package can be used to block the initiation of Tor connections and completely ban the use of Tor.

Like the first vulnerability, the second one allows network operators to detect Tor traffic. However, this problem can be used to detect indirect connections. Users make similar connections to Tor bridges when companies and ISPs block direct access to the Tor network. Connections to Tor bridges can be easily discovered using a similar technique to track specific TCP packets.

The reason why the researcher is publishing these issues in Tor is that he believes that the Tor Project does not take the security of its networks, tools, and users seriously enough. The security researcher cites previous incidents when he tried to report bugs to the Tor Project only to be told that they were aware of the issue, working on a fix, but never actually deploying said fix.

"I'm giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything. I'm holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days”, — Kravetz said.

The Tor Project responded to the researcher's blog posts. According to the Tor Project, they are aware of these problems, but they differ in the level of threats they pose to users, and they supposedly cannot be exploited at scale.

Back to the list

Latest Posts

FBI warns of ongoing vishing attacks seeking to steal corporate credentials

FBI warns of ongoing vishing attacks seeking to steal corporate credentials

Cybercriminals use VoIP platforms to target company employees.
19 January 2021
IObit forum hacked in a DeroHE ransomware attack

IObit forum hacked in a DeroHE ransomware attack

It is unknown, how the hackers managed to compromise the forum, but it is possible that they gained access to an administrative account.
19 January 2021
OpenWrt Project discloses data breach

OpenWrt Project discloses data breach

The hackers gained access to an administrator account on the OpenWrt forum and stole a copy of the user list.
19 January 2021