A security researcher has revealed two zero days affecting the Tor network, and more are coming soon.
After several years of unsuccessful attempts to report bugs to the Tor network, a security researcher has publicly discovered two zero-day vulnerabilities that affect both the Tor network and the Tor browser.
In two recent blog posts, Dr. Neil Kravets announced that he decided to release details of several zero days on the Tor network after the Tor Project failed to address the security issues he reported. Kravets also plans to show at least three more zero days of Tor, including one that can be used to display the real IP addresses of Tor servers.
On his blog, Kravets talked about his difficulties with the Tor projects over the years as a security researcher, saying:
“Following my public denunciation of the Tor project (in 2017), they redesigned their website to make it easier to report vulnerabilities. They also launched their bug bounty program on HackerOne. Unfortunately, while reporting vulnerabilities to the Tor project is now easier, they are unlikely to fix anything. I had some reports closed by the Tor network as a "known issue" and "I will not fix". For an organization that prides itself on a secure solution, it is unclear why they will not address known significant issues. ”
Thor zero days
The first of the two zero days revealed by Kravets can be used by organizations and ISPs to block users from connecting to the Tor network. To do this, they will need to scan network connections for a "distinguished packet signature" unique to Tor traffic. The package can even be used to block the initialization of Tor connections, which will prevent users from connecting to the service at all.
While the first day zero can be used to detect direct connections to Tor protection nodes that allow users to connect to the Tor network, day zero can be used to detect indirect connections. These connections are used to create Tor bridges, which are a special type of network entry point that can be used when companies or ISPs block direct access to the Tor network.
According to Kravets, connections to Tor bridges can also be easily discovered using a method similar to tracking specific TCP packets.
Now that two Tor zero days affecting Tor have been disclosed, with the possibility of three more in the future, Tor users in countries with repressive regimes such as North Korea and Syria may soon be unable to use the service. I hope the Tor Project realizes the seriousness of the zero days revealed by Kravets and will make an effort to fix them before that happens.