Two Tor Zero-Days Disclosed
Researcher Dr. Neal Krawetz has published details regarding multiple zero-day exploits for the popular Tor network and Tor browser. In blog posts last week, Dr. Krawetz has said he was going public with details on two zero-days after the Tor Project has repeatedly failed to address multiple security issues throughout the years. He has also promised to reveal at least three more Tor zero-days, one of which can be used to reveal the real-world IP address of Tor servers which could deal a serious blow to the popularity and utilization of the Tor Project.
The first security issued, posted on Dr. Krawetz blog on July 23rd, details how companies and ISPs could block users from connecting to the Tor network by scanning network connections for “a distinct packet signature” that is unique to Tor traffic. The packet could be used to block Tor connections from initiating and effectively ban Tor altogether, an issue that countries and corporations could exploit and abuse.
In a second post published July 30th, Dr. Krawetz disclosed the second zero-day, one that could also be used to monitor for Tor traffic. This second vulnerability could be exploited to look for connections that users make to Tor bridges, a special type of entry point into the Tor network that can be used when companies and ISPs block direct access to the Tor network. These connections to Tor bridges can be easily detected using a similar technique of tracking specific TCP packets.
Dr. Krawetz also takes issue with the lack of response and remediation by the Tor Project on several other well-known vulnerabilities within the Tor network. These include but are not limited to:
- A bug that allows websites to detect and fingerprint Tor browser users by the width of their scrollbar, which the Tor Project has known about since at least June 2017.
- A bug that allows network adversaries to detect Tor bridge servers using their OR (Onion routing) port, reported eight years ago.
- A bug that lets attackers identify the SSL library used by Tor servers, reported on December 27, 2017.
None of these issues have been properly addressed nor fixed by the Tor Project. According to Dr. Krawetz, he has repeatedly attempted to work with the Tor Project to fix these issues, but he has not received a satisfactory response, thus leading him to “publicly shame” the Tor Project. He has published a series of blog and Twitter posts, hoping to gain public support and pushback on the Tor Project and forcing them to patch these vulnerabilities.
As of 20:30 ET on July 30th, the Tor Project has responded to Dr. Krawetz, but they have pushed back on the severity of the vulnerabilities and the threats they pose to users, claiming they can’t be enforced at scale. The Tor Project also disagreed with Dr. Krawetz’ classification of the issues he detailed on the blog as zero-days.
Sources: