[__float]

They make note that the vulnerability used is only in Firefox 17--the current ESR (extended support release). What they do not mention is that the Tor Browser Bundle[1]--created so users can simply download one executable and feel protected by Tor--is based on this very release.

Among all internet users, Firefox 17 is probably rare, but among Tor users? My bet is that it owns a significantly higher chunk of the market.

[1] Tor Browser Bundle: https://www.torproject.org/projects/torbrowser.html.en

[cookiecaper]

The quote in the article claims that the exploit affects 17 and higher, only on NT-based platforms.

Furthermore, Tor Browser Bundle disallows JavaScript by default, and one should be cautious while allowing execution of arbitrary client-side code whilst intent on keeping their direct IP address secret. You have to take at least a couple of steps to be affected by this bug.

EDIT: The author has updated the OP and now claims that he believes Firefox 17 is the only affected version. His language is ambiguous such that it is unclear whether the exploit only affects Windows or if the code distributed by FH is simply not attempting to exploit any non-Windows environments (perhaps they were trying to get specific players).

[dylz]

> The quote in the article claims that the exploit affects 17 and higher, only on NT-based platforms.

It does a check for NT-based platforms, the TBB will always identify itself as Windows/NT, even on Linux.

>Tor Browser Bundle disallows JavaScript by default

It has JS globally enabled by default.

[Torgo]

TBB does not disallow javascript by default. In fact they recommend you do not disable javascript because it makes your browser fingerprint more traceable.

[cookiecaper]

Checking on this now. I find it dubious, but possible. I haven't used the Tor Browser Bundle for quite a while, but last I recall they definitely had a mechanism to keep JavaScript from executing. It seems ridiculous that they wouldn't, given their long history of advocacy for NoScript et al. Will edit when done installing/checking.

EDIT: So it seems that NoScript is installed as part of the package, but that scripts are enabled globally by default. I just experienced this with a fresh install. Here's the answer confirming it: https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEna... .

Personally I think that's a horrible compromise, and it's obviously something that's changed since last time I used it. This should be undone ASAP. Some education is required to use Tor properly even without considering things like JavaScript, so teaching someone to enable JS only when prudent should be fine to include as part of that educational package. It seems like there is some nefarious force at work here trying to trick people who really shouldn't be using Tor into using Tor. I know, for instance, that I had to stop several of my friends from using Tor after they heard about it from the news or whatever after the PRISM leaks. Do NOT use Tor if you don't fully understand the implications, like that all data you send through it is going to be decrypted to plaintext at a random exit node that could be run by literally anyone with a modern computer and internet connection.

Fortunately, NoScript continues to warn pretty blatantly with a big red exclamation point that scripts should not be allowed globally, and an educated Tor user will automatically forbid all scripts despite the awful default, so this is probably only a problem for people who are just dinking around anyway.

[Torgo]

[EDIT: edited typo, clarified what TAILS was] I had mentioned (split between a couple other posts) that even with JS enabled, Noscript will prevent many XSS/CSRF and clickjacking attempts, which has been explained to me as the reason for its inclusion. And That disabling Javascript actually makes you more fingerprintable because it's rare for browsers to do this.

I am guessing that the payload that article mentions s/he does not have included a Windows (or Windows Firefox)-specific exploit which bypassed the tor tunnel so that they could then match the cookie in and out of Tor to identify the traffic origin. Otherwise, just having the cookie through Tor would be pretty worthless.

Other people that could be dinged by this would be anybody usuing that specific version of Firefox, without Torbutton. Torbutton wipes cookies when you switch between Tor and not-Tor, but Torbutton as a separate tool has been discontinued and TBB promoted, because to be safe you really need to have a separate browser profile.

On Linux (not targeted by this exploit, but maybe someday) you could avoid this using an Apparmor/SeLinux profile that prevented TBB Firefox from even making a network connection that's not to the Tor tunnel, or possibly even prevent Firefox from knowing it's own IP. Dunno if something like this is even possible on Windows. For traveling, I currently have been experimenting with a VM with TBB and an apparmor profile, and an iptables rule to prevent ANY outside traffic, except Tor. It works but it's a pain in the ass and nobody could be expected to install all that shit. That's what they made TAILS (A bootable disc image with only Tor, saves nothing to your machine, contains no known exploitable extraneous apps) for, people could check that out. Even running TAILS in a VM would have prevented this, though they recommend for maximum security you burn it and boot it.

No sympathy for child pornographers, but obv. this could be used against anybody seeking anonymity.

[hackinthebochs]

>prevented TBB Firefox from even making a network connection that's not to the Tor tunnel, or possibly even prevent Firefox from knowing it's own IP. Dunno if something like this is even possible on Windows.

I don't currently use Tor, but I've thought about it and this is how I would do it. This can be done on windows using a virtual machine that disallows internet connections. Have the VM only able to network with the host OS, which is running the Tor app. That way the VM doesn't have an internet IP to leak, and if firefox itself is compromised there isn't anything on the VM that could give you away.

[foobarqux]

Whonix already does this.

[lawl]

Uhm, I think they have noscript bundled with JS globally disallowed? IIRC, that is.

[Torgo]

They do include noscript, but with JS globally enabled. Noscript will cleanse XSS/CSRF requests and prevent some sorts of clickjacking (according to noscript.)

[duaneb]

To be honest, I tried to use TOR without the bundle and couldn't figure out how to make it work. The software appears only be available as the bundle to a cursory look.

[D9u]

I use Tor, but I don't use the Tor Browser Bundle... It's simple enough to configure my browser to use Tor without relying on yet another executable to do it for me.

[cookiecaper]

The concept is that it's actually not as simple as it may seem. You're using the same cookie jar -- what if you inadvertently send back a cookie with the session ID of your public profile? You'll have flagged yourself as a Tor user and this can be tied back to your public IP. You're using the exact same browser fingerprint, which is more unique than you imagine -- it's not just a matter of useragent, but the combination of all information that can be obtained by a site about your browser. The EFF runs a demo site that shows this can be practically unique in many instances. You've probably enabled scripts on certain sites that may not need to execute JavaScript when you're viewing them through Tor. You probably have less restrictive rules around the injection of plugins that may expose your interface IP address, like Flash. You may do something shady and forget to cleanse it from your history (and/or enter private browsing mode). You may have an extension running that shares more information than you'd like, with either the site or the extension provider.

For all these reasons, TBB exists, and is the safest way (short of a live environment) to ensure you have a sanitized environment. At the very least, you should use a separate browser profile before you switch to an activity that mandates the usage of Tor, unless you're using it only for very rudimentary circumventions.