Researcher Discovered Two Zero-Days on Tor, but There Are More

  • A researcher who got fed-up with Tor Project’s ignorance has decided to publish two-zero days.
  • The man says there are another three a lot more severe zero-days, which he is keeping private for now.
  • Tor seems to be losing the battle to stay alive and trustworthy, as the team’s capacity is shrinking.

According to reports by security researcher Dr. Neal Krawetz, the Tor Project’s security situation is derailing, and the team behind the popular privacy-protecting browser and network aren’t rising to the occasion. As the man stated, he has already shared the details about two zero-day flaws with the Tor team, but they have done nothing about them.

Moreover, he claims to already hold another three zero-days, which he won’t reveal just yet. This is to allow the Tor Project the time to fix the other two first, as his goal isn’t to put people’s privacy and security at risk.

The researcher reveals that he has reported the flaws to the Tor Project, shared proof of concept exploits, log files, detailed descriptions, examples, and additional explanations. However, the people behind Tor’s development responded by closing the bugs as “known issues,” “informative,” or “brainstormy and researchy.”

These are bugs reported over two years ago and which the Tor Project closed, essentially ignoring the reports. So, the man has decided to open the tap of publicity and release detailed examples of two of the five zero-days he holds, hoping that Tor will do something about them now.

The first flaw describes how ISPs could block Tor users from connecting to the Onion network. It could be based on the identification of network data packet signatures that are characteristic to Tor nodes. The second zero-day was revealed in a follow-up post, giving away enough technical details for its replication and exploitation.

That second flaw describes a way to block Tor bridge relay connections by identifying obfs4 traffic. Bridges are an alternative method of connecting to the Tor network, so the two zero-days combined would allow someone to enforce Tor policies and prevent all ways of connecting to the net privately.

obfs4 IP
Source: The Hacker Factor Blog

As for the three undisclosed flaws, these are even worse, as the researcher said they could be used to reveal the user’s real IP address, de-anonymize Tor servers, and compromise the network in the worst possible way.

Back in April, Tor was forced to lay off 37% of its development team, as the pandemic had severely trimmed the donations and contributions the project received. That said, the Tor Project is already in a dire position - and the zero-day reports that surface are only increasing the rate of trust loss from the user community.

Latest
How to Watch A Royal Christmas Surprise Online from Anywhere
A Royal Christmas Surprise follows Riley Stehenson and Mandla Amitu, an engaged couple who use the holiday spirit to get their parents...
How to Watch The Christmas Ringer Online from Anywhere
Former R&B royalty Nicole finds herself leading the church choir after her manager-fiancé's selfish actions lead to the downfall of her career....
How to Watch Bones of Crows Online from Anywhere
The five-part hour-long drama series Bones of Crows tells its story through the perspective of Cree Matriarch. There is also a Bones...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari