Researcher Discovered Two Zero-Days on Tor, but There Are More

• A researcher who got fed-up with Tor Project’s ignorance has decided to publish two-zero days.
• The man says there are another three a lot more severe zero-days, which he is keeping private for now.
• Tor seems to be losing the battle to stay alive and trustworthy, as the team’s capacity is shrinking.

According to reports by security researcher Dr. Neal Krawetz, the Tor Project’s security situation is derailing, and the team behind the popular privacy-protecting browser and network aren’t rising to the occasion. As the man stated, he has already shared the details about two zero-day flaws with the Tor team, but they have done nothing about them.

Moreover, he claims to already hold another three zero-days, which he won’t reveal just yet. This is to allow the Tor Project the time to fix the other two first, as his goal isn’t to put people’s privacy and security at risk.

I'm giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything.

I'm holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days.

— Dr. Neal Krawetz (@hackerfactor) June 4, 2020

The researcher reveals that he has reported the flaws to the Tor Project, shared proof of concept exploits, log files, detailed descriptions, examples, and additional explanations. However, the people behind Tor’s development responded by closing the bugs as “known issues,” “informative,” or “brainstormy and researchy.”

These are bugs reported over two years ago and which the Tor Project closed, essentially ignoring the reports. So, the man has decided to open the tap of publicity and release detailed examples of two of the five zero-days he holds, hoping that Tor will do something about them now.

The first flaw describes how ISPs could block Tor users from connecting to the Onion network. It could be based on the identification of network data packet signatures that are characteristic to Tor nodes. The second zero-day was revealed in a follow-up post, giving away enough technical details for its replication and exploitation.

That second flaw describes a way to block Tor bridge relay connections by identifying obfs4 traffic. Bridges are an alternative method of connecting to the Tor network, so the two zero-days combined would allow someone to enforce Tor policies and prevent all ways of connecting to the net privately.

As for the three undisclosed flaws, these are even worse, as the researcher said they could be used to reveal the user’s real IP address, de-anonymize Tor servers, and compromise the network in the worst possible way.

Back in April, Tor was forced to lay off 37% of its development team, as the pandemic had severely trimmed the donations and contributions the project received. That said, the Tor Project is already in a dire position - and the zero-day reports that surface are only increasing the rate of trust loss from the user community.