Researcher Discovered Two Zero-Days on Tor, but There Are More

  • A researcher who got fed-up with Tor Project’s ignorance has decided to publish two-zero days.
  • The man says there are another three a lot more severe zero-days, which he is keeping private for now.
  • Tor seems to be losing the battle to stay alive and trustworthy, as the team’s capacity is shrinking.

According to reports by security researcher Dr. Neal Krawetz, the Tor Project’s security situation is derailing, and the team behind the popular privacy-protecting browser and network aren’t rising to the occasion. As the man stated, he has already shared the details about two zero-day flaws with the Tor team, but they have done nothing about them.

Moreover, he claims to already hold another three zero-days, which he won’t reveal just yet. This is to allow the Tor Project the time to fix the other two first, as his goal isn’t to put people’s privacy and security at risk.

The researcher reveals that he has reported the flaws to the Tor Project, shared proof of concept exploits, log files, detailed descriptions, examples, and additional explanations. However, the people behind Tor’s development responded by closing the bugs as “known issues,” “informative,” or “brainstormy and researchy.”

These are bugs reported over two years ago and which the Tor Project closed, essentially ignoring the reports. So, the man has decided to open the tap of publicity and release detailed examples of two of the five zero-days he holds, hoping that Tor will do something about them now.

The first flaw describes how ISPs could block Tor users from connecting to the Onion network. It could be based on the identification of network data packet signatures that are characteristic to Tor nodes. The second zero-day was revealed in a follow-up post, giving away enough technical details for its replication and exploitation.

That second flaw describes a way to block Tor bridge relay connections by identifying obfs4 traffic. Bridges are an alternative method of connecting to the Tor network, so the two zero-days combined would allow someone to enforce Tor policies and prevent all ways of connecting to the net privately.

obfs4 IP
Source: The Hacker Factor Blog

As for the three undisclosed flaws, these are even worse, as the researcher said they could be used to reveal the user’s real IP address, de-anonymize Tor servers, and compromise the network in the worst possible way.

Back in April, Tor was forced to lay off 37% of its development team, as the pandemic had severely trimmed the donations and contributions the project received. That said, the Tor Project is already in a dire position - and the zero-day reports that surface are only increasing the rate of trust loss from the user community.

REVIEW OVERVIEW

Latest

How to Watch Panic 9-1-1 Season 3 Online From Anywhere: Stream the A&E Documentary Series

Panic 9-1-1 features the real, urgent, unrehearsed 911 audio between emergency dispatchers and frantic callers as life and death situations unfold around...

How to Watch The Chi Season 5 Online From Anywhere

A new season of The Chi will premiere soon, and you will be able to stream all the episodes online quite easily...

How to Watch the 2022 Glastonbury Festival Online for FREE From Anywhere

One of the world's favorite music festivals reached its 50th edition, and if you weren't among the lucky fans to secure a...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari