It's all gravy for the onion router as Tor Browser beefs up security

News by Davey Winder

Tor Browser 7.5 has been released this week complete with a bunch of security fixes that have already been rolled out to the Firefox Extended Support Release (ESR) 52.6 client it is built upon.

Tor Browser 7.5 has been released this week complete with a bunch of security fixes that have already been rolled out to the Firefox Extended Support Release (ESR) 52.6 client it is built upon. Firefox ESR is similar to other versions of the Mozilla browser client, but doesn't update as frequently apart from the regular security updates. 

So what has changed in Tor Browser 7.5, the first stable update release in the 7-series client? Fixes include those for a critical use-after-free vulnerability that could occur during WebRTC connections when interacting with DTMF timers. Then there's a high impact rated integer overflow vulnerability in the Skia library when allocating memory for edge builders, and other use-after-free vulnerabilities which could occur while editing events in form elements on a page and when a source document was manipulated during XSL transformations. The full security fix list for can be found in Mozilla Foundation Security Advisory 2018-02.

Then there is support for the next-generation onion services protocol for clients and services, which currently means content sandboxing enabled on Windows and improvements to compiler hardening on macOS. However, Tor update support is built-in, and that will mean features such as offline keys, advanced client authorisation and improved guard algorithms as they roll out. 

Earlier this month the latest version of Tor itself, 0.3.2.9, was also released and also included a bunch of security updates, including: better crypto, improved directory protocol (less information leakage to directory servers and smaller attack surface for targeted attacks) and better onion address spoofing protection. Security fixes include a denial of service bug using malformed directory objects to "cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal" and another where an attacker could "crash a directory authority using a malformed router descriptor." 

So, both Tor and the Tor Browser client have been beefing up the security side of things but does all this make it a safe environment for those looking to be securely anonymous online? After all, Tor has been no stranger to reports of FBI server takeovers and investment from the US Cyber Command to research hacking the Tor Project.

Paul Bischoff, a privacy advocate for Comparitech.com, insists that Tor "continues to be the gold standard for online anonymity" and the updates "show the team behind it is committed to improving and maintaining the project." However, Bischoff is quick to point out that privacy is not synonymous with anonymity and that Tor has always focused on the latter. The latest update to Tor Browser includes the easier configuration of bridges which can be used to bypass censorship. "In the past" Bischoff says "it was easy for ISPs and websites to detect tor connections, even if they cannot actually monitor the content of the traffic being sent." By uncomplicating bridge configuration, Tor Browser helps users hide the fact that they are connecting to the Tor network itself.

However, Graeme Park, senior consultant at Mason Advisory, warns that the biggest issues with Tor have always been within the user space itself. "Installing Tor but not configuring their browser, installing the correctly configured Tor browser but revealing telling details on a message board" Park explains "and allowing 3rd party add-ons that can reveal other private information." 

Bob Rudis, chief data scientist at Rapid7, adds that the client-side updates supporting 'safer' routing protocols using newer crypto algorithms "help prevent information disclosure and ensure better anonymity of onion nodes, but do not make Tor bulletproof." As Rudis continues "you still need to have good personal operational security practices and a regularly patched browser with a configuration that further enhances tracking protection (ideally always running with javascript disabled)."

"What this release really means is Tor continues an epic battle between organisation's trying to unmask users of Tor (for whatever purpose) and steadfastly innovating and securing against such attacks" says Ian Trump, chief technology officer, Octopi Research Lab (UK) in conversation with SC Media UK who concludes "the struggle between the Tor developers and their protagonists will continue for the foreseeable future."
Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events