The maker of the Firefox browser is wading into an increasingly contentious court battle over an undisclosed security vulnerability the FBI used to track down anonymous users of a child-porn site.
The FBI took over a dark web child-pornography site called Playpen last year and, rather than shut it down, used a secret, still-undisclosed vulnerability in the Tor Browser to install malware on the computers of more than 1,000 users that allowed the FBI to determine their locations.
But in Tacoma, Washington, lawyers for a school administrator caught in the dragnet have successfully demanded the right to review the malware in order to pursue their argument that it, rather than he, was responsible for the illicit material ending up on his computer.
The Tor Browser is a free browser that shields a user’s identity. It is also based on code from the Firefox browser.
Mozilla, the organization behind Firefox, has long worried that the Tor Browser vulnerability might still be out there, could be exploited by bad actors, and could exist in Firefox, which is much more widely used than the Tor Browser.
So while it seems likely that the FBI will go to great lengths not to turn over the code – possibly dropping the case altogether – Mozilla’s top lawyer, Denelle Dixon-Thayer, is now arguing “that the government must disclose the vulnerability to us before it is disclosed to any other party.”
She explained: “Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community. In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.”
Dixon-Thayer noted that Mozilla isn’t taking sides, pro- or anti-disclosure. It just wants to make sure that if there is disclosure, Mozilla gets it first. Here is the legal brief Mozilla filed on Wednesday.
The issue of when the government should disclose security vulnerabilities is a hotly contested issue outside the courtroom as well.
The Obama administration’s policy is that when the government learns of a new flaw, it has to submit the flaw to an interagency group. The White House says that group has a “strong bias” toward disclosure to vendors so that they can fix them, rather than just letting the agencies keep the flaws secret and continue to use them. But the evidence suggests that is not the case.
Top photo: “Mozilla Booth” by Mozilla in Europe using CC BY 2.0, photo cropped.
I recommend you to simply use VPN instead of Tor. There’s no privacy left in Tor after the Silk Road breakdown, government monitors everything on it. Try using Hide My IP VPN instead, much safer than Tor…
Sorry David, you’re wrong.
Tor is still a secure protocol, we know that. The FBI simply used a bug in Firefox to determine their real IP address. As long as you use Tor on Tails, SubgraphOS or Whonix that shouldn’t be possible.
VPNs do little for your privacy if you’re using a normal web browser. Because the fingerprint they generate is unique. The Tor browser however, is much more generic.
That wasn’t sarcasm was it? :D
I2P is similar to TOR and is free of bugs…
All complex apps have bugs, or might have. From the I2P Wikipedia page:
Whereas, there has been significantly more peer review worldwide of Tor and the Onion Routing network. And, it is much more popular and thus more anonymous.
HOWEVER, I don’t know if the developers have changed this yet (or ever will) but the Tor/Firefox NoScript extension toggle for Java Scripts is by default ON – in an attempt to make the users look more normal – and thus more anonymous. Unfortunately therein lies the huge opportunity to infiltrate default-setting Tor clients.
It’s always seemed backwards to me they have JS turned ON by default, but then, the development team is going for general anonymity, not protecting perps from well funded teams of NSA/FBI hackers.
That’s my understanding anyway. Far more knowledgeable people than me should respond, as needed.
TOR was a project to created by the government to be a magnet for all kinds of “undesirable” activity. It has been backdoored from the ouset.
It doesn’t matter who made it. What matters is that the source code is open for review. By studying the code when can tell that Tor as a protocol is secure.
Perhaps they should put their time and effort into making Firefox more secure instead. Firefox is the only major browser that doesn’t yet isolate vulnerable parts of the browser in separate sandboxes. Chrome/Chromium is miles ahead in terms of security.
LOL Thats because Mozilla is in on it. Claiming to want to know the vulnerability is just disinformation.
The evidence suggests that not only can the government not be trusted, but that the government of the US represents a completely dark entity that is entirely antithetical to Democracy and The Rule of Democratic Law by the people. The evidence for this is monumental enough that it can no longer be seen as just an assumption to be tested, but as the new paradigm we must operate upon to save our butts from a fate worse than the ‘Stasi’ could deliver.
Here is an interesting read about the Stasi http://www.bbc.com/news/magazine-19344978
Not that it’s a conflict, but the article might disclaim the fact that our very own Mr. Pierre Omidyar (owner of The Intercept) donated to Tor development in 2006 (via Omidyar Network – once the Tor project became open source, EFF approved, and a non profit.)
http://www.whoishostingthis.com/blog/2014/11/17/who-funded-tor/
Thank you Mr. Omidyar. For helping Tor, creating TI, ..and even for eBay.
if wall street wanted it/anything, it would have it already.
So the article starts by telling us there is a flaw in Tor and that the FBI (and the rest) can break into Tor and implant malware.
Then there is this quote: “The Tor Browser is a free browser that shields a user’s identity.”
How could that be? You just said it is not safe and does not do what this statement claims.
Does Tor protect your identity any more? NO it has been neutralized by government hacking.
It depends on what the exploit is and how it targets users. While it is true that the browser likely has a vulnerability, it doesn’t mean that the FBI has immediately owned everyone’s box who is using it. Security isn’t a binary thing.
If everyone uses tor you will be anonymous, but not enough people are using tor so some tech youtubers say not use it for that reason
That only applies if you have Windows or Apple. On linux even if your browser is taken over, it can’t install anything without your authorization.
Just another JavaScript bug. There are many more of these.
Considering that TOR is funded by the US State and Defense departments it should come as no surprise that the US government has access to anything they want on it.
No, that’s not how it works — at least, certainly not with Tor — and it’d be great if you didn’t cast aspersions against things without solid evidence. Thanks!
The very existence of the flaw is useful information, for those of us who tend to use the Tor browser. Personally, I have always assumed that Firefox is vulnerable.
As to the Obama administration’s policies, it’s just another case of the President’s being a pathological liar. It is safe to assume that the substance of any administration policy is opposite to what they say it is.
What browser would you trust more than Firefox? (I mean lol, you ever read the terms and conditions for Opera?)
You need to use linux, which won’t allow without your authorization to install malware.
The browser in the Tor bundle is Firefox, with the vast majority of the code unchanged from the Firefox ESR version chosen for the particular Tor release. If a browser vulnerability is one that can be exploited despite the cloaking effect of the Tor network, it’s pretty unlikely that the Tor Project will find and fix it — so “those of you who tend to use Tor” will yourselves remain vulnerable.
Also, you should probably consider seriously Wnt’s question. The correct answer, of course, is that no other widely-used browser is deserving of as much trust as Firefox, because none of the others are built entirely on readily-audited open source code. Not to mention that other popular browsers have a disturbing tendency to “phone home” with tracking information in ways that can’t be controlled by the user.