After unsuccessfully trying to report bugs to the Tor Project for years, a security researcher has publicly disclosed two zero-day vulnerabilities which impact both the Tor network and the Tor browser.
In two recent blog posts, Dr. Neal Krawetz announced that he has decided to go public with details on multiple zero-days in Tor after the Tor Project failed to address the security issues he reported. Krawetz also plans to reveal at least three more Tor zero-days including one that can be exploited to show the real-world IP addresses of Tor servers.
Krawetz provided further insight on his difficulties dealing with the Tor Project as a security researcher over the years in a blog post, saying:
“After my public shaming of the Tor Project (in 2017), they changed their web site design to make it easier to report vulnerabilities. They also opened up their bug bounty program at HackerOne. Unfortunately, while it is easier now to report vulnerabilities to the Tor Project, they are still unlikely to fix anything. I’ve had some reports closed out by the Tor Project as ‘known issue’ and ‘won’t fix’. For an organization that prides itself on their secure solution, it is unclear why they won’t fix known serious issues.”
The first of the two zero-days disclosed by Krawetz could be used by organizations and ISPs to block users from connecting to the Tor Network. To do this, they would need to scan network connections for “a distinct packet signature” that is unique to Tor traffic. The packet could even be used to block Tor connections from initiating which would prevent users from connecting to the service at all.
While the first zero-day could be leveraged to detect direct connections to Tor guard nodes that allow users to connect to the Tor Network, the second zero-day can be used to detect indirect connections. These connections are used to create Tor bridges which are a special type of entry point into the network that can be used when direct access to the Tor network is blocked by companies or ISPs.
According to Krawetz, connections to Tor bridges can also be easily detected using a technique similar to tracking specific TCP packets.
Now that two-zero days affecting Tor have been disclosed with the possibility of three more being disclosed in the future, Tor users in countries with oppressive regimes such as North Korea and Syria soon may be unable to use the service. Hopefully though, the Tor Project will realize the seriousness of the zero-days disclosed by Krawetz and make an effort to fix them before this can happen.