The Tor browser that runs through the Tor network has been used by many to bypass restrictions. Because of that, any privacy issue can cause huge problems.
After unsuccessfully trying to report bugs to the Tor Project for years, security researcher Dr. Neal Krawetz finally disclosed two zero-day vulnerabilities which impact both the Tor network and the Tor browser.
Annoyed, he has plans to disclose at least three more Tor zero-days, including one that can be exploited to show the real IP addresses of Tor servers.
Krawetz said that his decision to make this case public is because Tor has failed to address the security issues.
The security researcher gave further insight on his difficulties dealing with the Tor Project as a security researcher over the years in a blog post, saying that:
I'm giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything.
I'm holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days.— Dr. Neal Krawetz (@hackerfactor) June 4, 2020
When researchers stumbled into a security vulnerability in a system or a product, a good researcher would report it to the right people.
Sometimes, the process of reporting is painless, meaning that the company or the developer who created the system/product, is cooperative. In other cases, the process can be a little challenging.
But in this case, Krawetz found that the people behind the Tor Project are non-responsive.
Due to the fact that the Tor browser that runs through the Tor network is used by many people to bypass restrictions imposed by ISPs and their governments, bugs in the system can be huge problems, especially to those in countries with oppressive regimes.
This worries Krawetz.
"At that point, I have a few options. I can sell the vulnerability to someone else who will certainly exploit it. I can just let it sit -- maybe the bug will be fixed by coincidence or become obsolete, or maybe I'll find another use for it later," Krawetz said, describing how bug reporting is like a masochistic scavenger hunt to him.
"However, sometimes I have reasons for needing a specific issue fixed soon. If the company doesn't respond to security reports, then maybe they will react to public shaming."
And here, the first of the two zero-days exploits Krawetz disclosed are meant to public shame the people at Tor who aren't responsive to solving issues.
The first of the two zero-days could be used by organizations and ISPs to block users from connecting to the Tor Network.
What they need to do, is to simply scan the network connections for "a distinct packet signature" that is unique to Tor traffic. After that, they can block Tor connections from initiating. This way, organizations and ISPs that run the network can prevent Tor users from connecting to the Tor network.
While the first zero-day could be leveraged to detect direct connections to Tor nodes, the second zero-day can be used to detect indirect connections.
Indirect connections are used by Tor to create Tor bridges, which are special type of entry point for Tor users into the network, used when direct access to the Tor network is blocked by organizations and ISPs. In other words indirect connections here act as proxy points and relay connections from the user to the Tor network itself.
According to Krawetz, these connections to Tor bridges can also be easily detected using a technique similar to tracking specific TCP packets.
"Between my previous blog entry and this one, you now have everything you need to enforce the policy [of blocking Tor on a network] with a real-time stateful packet inspection system. You can stop all of your users from connecting to the Tor network, whether they connect directly or use a bridge," Dr. Krawetz said.
Krawetz who operates multiple Tor nodes himself, said that after disclosing the two zero-days affecting Tor, he also wants to disclose three more in the future, if he still believes the Tor Project does not take the security of its networks, tools, and users seriously enough.
After Krawetz findings and tweet went viral, the Tor Project finally responded in a tweet.
People have asked us about a series of bugs that are being publicized and incorrectly labeled as 0-days. Whenever we are notified of high-risk security bugs, we will, as always, address these issues and release formal responses so you know what's happening. pic.twitter.com/2KcVYPv02x
— The Tor Project (@torproject) July 30, 2020