[tor-talk] FBI cracked Tor security
Jon Tullett
jon.tullett at gmail.com
Thu Jul 14 11:45:50 UTC 2016
On 14 July 2016 at 12:52, <me at beroal.in.ua> wrote:
> On 14.07.16 09:23, Jon Tullett wrote:
>>
>> On 14 July 2016 at 01:51, Nick Levinson <nick_levinson at yahoo.com> wrote:
>>>
>>> The FBI reportedly cracked Tor's security to crack a child porn case with
>>> over 100 arrests of Tor users.
>>
>> I think what you'll find in such cases is that the FBI generally crack
>> the servers hosting the illicit material, not Tor itself.
>
> It's still unclear to me whether there is a vulnerability in Firefox, in Tor
> Browser, or in Tor.
These are separate issues with separate ramifications. Breaking
Firefox is comparatively trivial. Breaking Tor would be extremely
untrivial, both in effort and implication.
Take one scenario; the FBI deploys malware on a server to identify its
users. That doesn't require (or even benefit from) attacking the Tor
network directly. It's about exploiting vulnerabilities in the hosting
software for delivery, then about vulnerabilities in the users'
browsers for infection. That may be browser vulnerabilities or Flash
vulns or whatever, but again, nothing to do with Tor.
Also worth separating Tor and TBB. Vulnerabilities in TBB would likely
be flaws in Firefox or a bundled addon. Exploiting that is certainly
plausible, but doesn't count as "cracking Tor" in the context of
compromising the network or encryption.
In the case of Freedom Hosting, it was reportedly a combination of
both; the FBI cracked the server, then planted malware which exploited
a vuln in Firefox (and therefore TBB) users. They didn't, it is
believed, compromise Tor crypto in the process.
https://www.wired.com/2013/09/freedom-hosting-fbi/
Should add that users with NoScript enabled would not have been
vulnerable - I get the "noscript decreases privacy" argument, but I'd
still kinda like it to be on by default to protect users. Maybe with a
big red "Turn on Javascript because I'm happy to get pwned by
malicious ads, FBI malware, and miscellaneous trackers" button :)
Lastly, I should acknowledge that none of this is proof that Tor has
NOT been compromised. Just that in the incident in question, it was
probably not.
>> There are frequently vulnerabilities in hosting services - content
>> platforms, web forums, third-party Javascript libraries, file uploads,
>> management interfaces...many sites, darkweb or not, have much broader
>> attack surfaces than their owners understand.
>
> Exactly. Bugs in software. Or, as Dijkstra put it, incorrect software. Users
> demand more features instead of more correctness because buggy software is
> "good enough" and a rare glitch is no problem. Then they discover that they
> lost control of their computers.
Unfortunately, security is rarely a top priority for either developers
or users.
-J
More information about the tor-talk
mailing list