[cookiecaper]

The quote in the article claims that the exploit affects 17 and higher, only on NT-based platforms.

Furthermore, Tor Browser Bundle disallows JavaScript by default, and one should be cautious while allowing execution of arbitrary client-side code whilst intent on keeping their direct IP address secret. You have to take at least a couple of steps to be affected by this bug.

EDIT: The author has updated the OP and now claims that he believes Firefox 17 is the only affected version. His language is ambiguous such that it is unclear whether the exploit only affects Windows or if the code distributed by FH is simply not attempting to exploit any non-Windows environments (perhaps they were trying to get specific players).

[dylz]

> The quote in the article claims that the exploit affects 17 and higher, only on NT-based platforms.

It does a check for NT-based platforms, the TBB will always identify itself as Windows/NT, even on Linux.

>Tor Browser Bundle disallows JavaScript by default

It has JS globally enabled by default.

[Torgo]

TBB does not disallow javascript by default. In fact they recommend you do not disable javascript because it makes your browser fingerprint more traceable.

[cookiecaper]

Checking on this now. I find it dubious, but possible. I haven't used the Tor Browser Bundle for quite a while, but last I recall they definitely had a mechanism to keep JavaScript from executing. It seems ridiculous that they wouldn't, given their long history of advocacy for NoScript et al. Will edit when done installing/checking.

EDIT: So it seems that NoScript is installed as part of the package, but that scripts are enabled globally by default. I just experienced this with a fresh install. Here's the answer confirming it: https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEna... .

Personally I think that's a horrible compromise, and it's obviously something that's changed since last time I used it. This should be undone ASAP. Some education is required to use Tor properly even without considering things like JavaScript, so teaching someone to enable JS only when prudent should be fine to include as part of that educational package. It seems like there is some nefarious force at work here trying to trick people who really shouldn't be using Tor into using Tor. I know, for instance, that I had to stop several of my friends from using Tor after they heard about it from the news or whatever after the PRISM leaks. Do NOT use Tor if you don't fully understand the implications, like that all data you send through it is going to be decrypted to plaintext at a random exit node that could be run by literally anyone with a modern computer and internet connection.

Fortunately, NoScript continues to warn pretty blatantly with a big red exclamation point that scripts should not be allowed globally, and an educated Tor user will automatically forbid all scripts despite the awful default, so this is probably only a problem for people who are just dinking around anyway.

[Torgo]

[EDIT: edited typo, clarified what TAILS was] I had mentioned (split between a couple other posts) that even with JS enabled, Noscript will prevent many XSS/CSRF and clickjacking attempts, which has been explained to me as the reason for its inclusion. And That disabling Javascript actually makes you more fingerprintable because it's rare for browsers to do this.

I am guessing that the payload that article mentions s/he does not have included a Windows (or Windows Firefox)-specific exploit which bypassed the tor tunnel so that they could then match the cookie in and out of Tor to identify the traffic origin. Otherwise, just having the cookie through Tor would be pretty worthless.

Other people that could be dinged by this would be anybody usuing that specific version of Firefox, without Torbutton. Torbutton wipes cookies when you switch between Tor and not-Tor, but Torbutton as a separate tool has been discontinued and TBB promoted, because to be safe you really need to have a separate browser profile.

On Linux (not targeted by this exploit, but maybe someday) you could avoid this using an Apparmor/SeLinux profile that prevented TBB Firefox from even making a network connection that's not to the Tor tunnel, or possibly even prevent Firefox from knowing it's own IP. Dunno if something like this is even possible on Windows. For traveling, I currently have been experimenting with a VM with TBB and an apparmor profile, and an iptables rule to prevent ANY outside traffic, except Tor. It works but it's a pain in the ass and nobody could be expected to install all that shit. That's what they made TAILS (A bootable disc image with only Tor, saves nothing to your machine, contains no known exploitable extraneous apps) for, people could check that out. Even running TAILS in a VM would have prevented this, though they recommend for maximum security you burn it and boot it.

No sympathy for child pornographers, but obv. this could be used against anybody seeking anonymity.

[hackinthebochs]

>prevented TBB Firefox from even making a network connection that's not to the Tor tunnel, or possibly even prevent Firefox from knowing it's own IP. Dunno if something like this is even possible on Windows.

I don't currently use Tor, but I've thought about it and this is how I would do it. This can be done on windows using a virtual machine that disallows internet connections. Have the VM only able to network with the host OS, which is running the Tor app. That way the VM doesn't have an internet IP to leak, and if firefox itself is compromised there isn't anything on the VM that could give you away.

[foobarqux]

Whonix already does this.

[hackinthebochs]

Looks sweet. I'll check it out.

[lawl]

Uhm, I think they have noscript bundled with JS globally disallowed? IIRC, that is.

[Torgo]

They do include noscript, but with JS globally enabled. Noscript will cleanse XSS/CSRF requests and prevent some sorts of clickjacking (according to noscript.)