Zero-day vulnerabilities discovered in the Tor network and browser put users security at risk
Security researcher Dr. Neal Krawetz has found multiple vulnerabilities in the Tor network and browser that needs to be resolved as soon as possible. The Tor Network (or just “Tor”) is an implementation of a program that was originally developed by the US Navy in the mid-1990s. It enables users greater anonymity online by encrypting internet traffic and passing it through a series of nodes.
According to the researcher, the Tor network resides two zero-day and 3 other critical vulnerabilities that should be resolved. He also said that Tor has serious security problems and also informed the devs but they refuse to do anything.
I'm giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything.
I'm holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days.
— Dr. Neal Krawetz (@hackerfactor) June 4, 2020
Dr. Krawetz is a computer security specialist, forensic researcher, and founder of FotoForensics. He also uses numerous Tor nodes and also been regular in spotting and reporting bugs in the Tor. According to the researcher’s first Tor security flaw, he has disclosed that how companies and internet service providers could block users from connecting to the Tor network by scanning network connections for “a distinct packet signature” that is unique to Tor traffic.
The exploitation of the flaw could result in blocking Tor connections from initiating and effectively ban Tor altogether an issue that oppressive regimes are very likely to abuse.
The second vulnerability reported by the researcher allows network operators to detect Tor traffic. But this time they could detect indirect connections, and no longer as in the previous case, direct connections to the Tor network. They are the connections that users make to Tor bridges, a special type of network entry points that can be used when companies and operators block direct access to the Tor network.
“Going back to my initial premise: Suppose you’re a company that has a “no Tor on the corporate network” policy. Between my previous blog entry and this one, you now have everything you need to enforce the policy with a real-time stateful packet inspection system. You can stop all of your users from connecting to the Tor network, whether they connect directly or use a bridge.” said the researcher
Usually, developers themselves release security patches and updates. It is important that we always have new versions to avoid possible failures that put us at risk. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.