Details of Two 0-Day Vulnerabilities in Tor and Tor Browser Disclosed

This week, cybersecurity expert Neal Krawetz, who operates several Tor nodes himself, publicly disclosed details about two zero-day vulnerabilities affecting both the Tor network and the Tor Browser. According to Krawetz, Tor developers have repeatedly refused to fix the issues he reported, which led him to make the vulnerabilities public. Even more concerning, Krawetz promises to reveal information about three more 0-day bugs soon, one of which could be used to expose the real IP addresses of Tor servers.

First 0-Day Vulnerability: Blocking Tor Connections

Krawetz described the first 0-day issue in his blog on July 23, 2020. In this post, he explained how companies and internet service providers can block users from connecting to the Tor network. This can be done simply by scanning network connections for a unique packet signature that is characteristic of Tor traffic.

Second 0-Day Vulnerability: Detecting Tor Bridges

The second 0-day vulnerability was detailed in Krawetz’s blog on July 30, 2020. This bug also allows network operators to detect Tor traffic. While the first vulnerability can be used to identify direct connections to the Tor network (to Tor guard nodes), the second vulnerability can be used to detect indirect connections, specifically those made through Tor bridges.

Bridges act as a kind of proxy, relaying a user’s connection to the Tor network itself. Since bridges are a highly sensitive part of Tor’s infrastructure, their list is constantly updated to make it harder for providers to block them. However, Krawetz writes that connections to Tor bridges can be easily detected using a technique that tracks certain TCP packets.

“After my previous blog post and this one, you have everything you need to strengthen your [Tor blocking] policy using a real-time packet inspection system. You can prevent all your users from connecting to Tor, whether they connect directly or use a bridge,” the expert writes.

Criticism of Tor Project’s Security Practices

Krawetz also states that, in his opinion, Tor Project engineers do not take the security of their networks, tools, and users seriously enough. He refers to his previous experiences and numerous attempts to report various bugs to the Tor developers, which ultimately were never fixed. Among these are:

• A vulnerability that allows websites to detect and identify Tor Browser users by the width of their scrollbars, known to developers since June 2017;
• A vulnerability that allows the detection of Tor bridges using their OR (Onion Routing) port, discovered eight years ago;
• A vulnerability that allows identification of the SSL library used by Tor servers, found on December 27, 2017.

In early July 2020, Krawetz announced that he had decided to end his cooperation with the Tor Project and now intends to make these issues public.