[cookiecaper]

This whole post is a mess. Someone distributes an exploit via a popular hosting provider for onion sites (and it's curious why anyone with a serious interest in privacy would outsource onion site hosting anyway) and suddenly Tor is damaged? There's a link to a paper that claims people can do things you're not supposed to be able to do with onion sites, but I don't see how that's relevant -- this post is conflating at least a few things.

So here's what I can grok from it:

* "Freedom Hosting" founder has been arrested; presumably, many people were using "Freedom Hosting" to host onion sites (is this where "half of all Tor sites compromised" comes from?). No charges listed, article slightly hints at child pornography charges.

* Someone, presumably the FBI, has set up an exploit to be distributed through Freedom Hosting sites that will phone home and reveal your non-Tor IP address (solution: seven proxies). "Freedom Hosting" founder was probably coerced into allowing distribution of this exploit.

* Author claims that said exploit only affects Firefox >= 17 on Windows.

* There's a link to a paper about possible problems with hidden services, which is apparently not relevant to any of this other than the fact that there was just a shakedown on a big onion site provider.

I'm flagging this article because it is utterly incoherent and the headline is sensationalist. There is no evidence of a fundamental flaw in Tor being related to any of the events mentioned. Hopefully someone will write a comprehensible piece soon and put it out there.

[secure]

Here is a statement by the tor project about it:

https://blog.torproject.org/blog/hidden-services-current-eve...

[makomk]

The exploit is targeted at the version of Firefox in the Tor Browser Bundle on Windows, which means most Tor users are vulnerable. While you can use a different browser the Tor developers have generally recommended that people don't; it's hard to lock down browsers against information leaks, and the fact that someone's using an unusual browser helps an attacker track them.

[mbrubeck]

Actually it turns out to exploit an vulnerability that was already fixed in both Firefox and Firefox ESR:

https://blog.mozilla.org/security/2013/08/04/investigating-s...

The fix was included in a Tor Browser Bundle update on June 26, 2013:

https://blog.torproject.org/blog/new-tor-browser-bundles-and...

[syncerr]

It's specifically targeting Firefox 17 for Windows. Versions less than 17 seem to be targeted as well, but the resource (content_1.html) doesn't seem to have ever been available. It does not target anything above 17.

http://pastebin.mozilla.org/2777139

[aqme28]

How is it sensationalist? The headline was not that there is a vulnerability in TOR, but a vulnerability in "half of all TOR sites."

[cookiecaper]

The headline implies that the "compromise" is an inherent failure in the protocol (or else how could "half" of all sites be infected?) instead of the reality that the hosting provider intentionally placed an exploit in all of their pages.

A better title may be like: "major .onion hosting service infiltrated by feds, all sites converted to honeypots; founder arrested". This does not imply any fundamental flaws in Tor itself or the technology in use, it does not falsely attribute a specific portion of .onion sites as infected, it does not communicate uncertainty into which sites are damaged (only sites hosted by Freedom Hosting were affected afawk), and it correctly reflects the events.

[pyre]

> The headline implies that the "compromise" is an inherent failure in the protocol

Personally, I didn't read it that way at all. My first assumption was a hack, because it's more likely that a website was hacked than that the Tor protocol was so severely compromised.

> or else how could "half" of all sites be infected?

To me it sounded like a possible major law enforcement operation against 'rogue' sites. If someone was able to compromise Tor so completely, the idea that they would turn around and just hack half of the hidden sites doesn't make sense. Such an exploit would be worth major cash on the exploit market (mostly due to governments bidding against each other to get it).

[threeseed]

You're being bizarrely pedantic.

If the headline had read "half of all web sites compromised" I would never have it thought it was because of some underlying fault with HTTP.

[cookiecaper]

Onion sites are (typically) accessed over HTTP, so the fact that I didn't think HTTP was flawed demonstrates that there's some misinterpretation here.

I'd suggest that you're the one being overly pedantic. "Protocol" doesn't necessarily have to refer to something explicitly labeled as a "protocol".

[RodericDay]

language is incredibly important. thank you a lot for the explanation.

[hnnnnng]

'infiltrated by feds' is a presumption based on speculation at this point. Assumptions dont 'correctly reflect events'. If you want to fix something, fix it entirely.

[cookiecaper]

It correctly reflects events as detailed by the post. The post clearly assumes that "the FBI" originated the exploit code and has been using it to harvest visitor IP addresses. I believe "infiltrated" is a fine summarization for that.

I suppose it's possible that the founder had a change of heart two days prior to his arrest and started collecting everyone's IP and sending it to the FBI based on nothing but a sense of personal moral obligation, but it doesn't seem too likely, and it's irrelevant either way because again, the proposed title is an accurate description of the posted article, even if the posted article is an inaccurate depiction of Real Life(tm).

[erikpukinskis]

It's just misleading. It's like if there was an exploit for iPhones and the headline was "Half of Verizon network hacked". It's not some arbitrary half of the Tor network, it's 100% of Freedom Hosting's clients.

[lelf]

many people were using "Freedom Hosting" to host onion sites

tormail.org amongst them it seems. It's used at times by users of one famous online store of particular substances.

Just info. It's their problem if db leaked and they didn't use encryption of course.

[RivieraKid]

I'm pretty sure that most of the upvoters did just read the title, not the article.

[duaneb]

> solution: seven proxies

Is it possible to route TOR traffic over TOR?