Forgot your password?
typodupeerror
Security Encryption

TOR Wants You To Stop Using Windows, Disable JavaScript 341

Posted by timothy
from the so-say-we-all dept.
itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."
This discussion has been archived. No new comments can be posted.

TOR Wants You To Stop Using Windows, Disable JavaScript

Comments Filter:
  • Re:Firefox (Score:5, Informative)

    by The MAZZTer (911996) <megazzt@g m a il.com> on Tuesday August 06, 2013 @10:15AM (#44485909) Homepage
    Firefox allows it, as does every major browser. But it is not the default, because it is incredibly inconvenient considering how many websites rely on it. There are tools to make it easier for Firefox and Chrome but it is still a bit of a bother.
  • Proper Summary (Score:4, Informative)

    by Freshly Exhumed (105597) on Tuesday August 06, 2013 @10:22AM (#44485961) Homepage

    FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'

    Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?

  • NSA owned netblocks (Score:5, Informative)

    by NynexNinja (379583) on Tuesday August 06, 2013 @10:22AM (#44485967)
    Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ [arstechnica.com] ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.
  • by RedHackTea (2779623) on Tuesday August 06, 2013 @10:24AM (#44485985)
    FTFA:

    The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.

    People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.

  • Re:Firefox (Score:3, Informative)

    by Anonymous Coward on Tuesday August 06, 2013 @10:24AM (#44485989)

    Firefox is apparently opting to remove the option from their settings and for a good reason - no one wants to globally disable JS these days. A default off with allowed sites is workable though, but there are extensions like NoScript to add that functionality.

  • Re:Firefox (Score:2, Informative)

    by Ubi_NL (313657) <joris&ideeel,nl> on Tuesday August 06, 2013 @10:32AM (#44486105) Journal

    This is incorrect, the latest versions of firefox do not allow javascript to be turned off. It is a valid complaint

  • Re:Very poor advice (Score:4, Informative)

    by CAIMLAS (41445) on Tuesday August 06, 2013 @10:45AM (#44486251) Homepage

    It's trivial to use Tor in a secure fashion. In fact, if you need the security provided by Tor, chances are you're better off doing it this way instead:

    1) Download Tails [boum.org]
    2) Burn to CD
    3) Boot disk
    4) Use Tor

    How hard was that?

    (Personally, I use IE5 and Windows 2000 for Tor. Nobody's going to try to exploit that... and yes, I'm kidding.)

  • Re:Firefox (Score:4, Informative)

    by Krojack (575051) on Tuesday August 06, 2013 @10:51AM (#44486323)

    URL about:config then enter 'javascript.enabled' into the search bar. Double click that setting in the list below to toggle back and forth.

  • Re:Firefox (Score:2, Informative)

    by Anonymous Coward on Tuesday August 06, 2013 @10:54AM (#44486349)

    This is incorrect, the latest version of firefox do allow javascript to be turned off. It is an invalid complaint.

    Don't give me bullshit about it not being in the "UI" either, since I have a bookmark with the address about:config?filter=javascript.enabled right there in my bookmarks toolbar.

  • by raymorris (2726007) on Tuesday August 06, 2013 @11:05AM (#44486459)
    To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.

    Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
    Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
    Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
    completely different system, called Java.

    They were developed completely separately, by different companies, for different purposes, and based on different principles.
    It's exactly as if the BETAMAX were renamed DroidVideo.
  • by Anonymous Coward on Tuesday August 06, 2013 @11:10AM (#44486513)

    They're being rather disingenuous too: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
    Since the vulnerability isn't limited to Windows machines, it's just that they believe that only Windows machines were targeted.

    WHO IS AFFECTED:
        In principle, all users of all Tor Browser Bundles earlier than
        the above versions are vulnerable. But in practice, it appears that
        only Windows users with vulnerable Firefox versions were actually
        exploitable by this attack.

        (If you're not sure what version you have, click on "Help -> About
        Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])

        To be clear, while the Firefox vulnerability is cross-platform, the
        attack code is Windows-specific. It appears that TBB users on Linux
        and OS X, as well as users of LiveCD systems like Tails, were not
        exploited by this attack.

    IMPACT:
        The vulnerability allows arbitrary code execution, so an attacker
        could in principle take over the victim's computer. However, the
        observed version of the attack appears to collect the hostname and MAC
        address of the victim computer, send that to a remote webserver over
        a non-Tor connection, and then crash or exit [8]. The attack appears
        to have been injected into (or by) various Tor hidden services [9],
        and it's reasonable to conclude that the attacker now has a list of
        vulnerable Tor users who visited those hidden services.

        We don't currently believe that the attack modifies anything on the
        victim computer.

    So what makes them so sure that only Windows machines were targeted? Sure only paranoid people would think that way, but lot of people using Tor are paranoid, and many using Tor SHOULD be that paranoid.

  • Re:Firefox (Score:4, Informative)

    by danbuter (2019760) on Tuesday August 06, 2013 @11:23AM (#44486669)
    NoScript works for me...
  • by Burz (138833) on Tuesday August 06, 2013 @11:25AM (#44486699) Journal

    This is a sure way to reveal your IP address to an attacker. The only proxy switcher ever deemed safe to use with Tor was TorButton... the rest allowed cache and history-based attacks. Even so, Tor project recommends the entire browser now be customized for Tor and not used for any in-the-clear web access.

  • Re:Firefox (Score:2, Informative)

    by VGPowerlord (621254) on Tuesday August 06, 2013 @11:35AM (#44486807) Homepage

    So why do I have Firefox 22 with an enable/disable Javascript option? I downloaded this from Mozilla so you are saying they built a special version just for me? How nice of them.. Or perhaps Firefox still allows the user to enable/disable Javascript at this time.

    You'll be unpleasantly surprised when you download Firefox 23 and find out it's gone. Which was released today, btw.

  • Re:Firefox (Score:2, Informative)

    by Anonymous Coward on Tuesday August 06, 2013 @11:41AM (#44486883)

    And that's an important point a lot of people, and most of the news media, have gotten wrong about this story. Download any TorProject Browser and NoScript is included by default and specific browser settings changed. As is it's relatively safe to use but if users even temporarily disable those protection measures because they can't do something like download a file or participate in some commenting page because a script is being prevented from running than it's not a fault with Tor, it's a user issue. TorProject's site has always had a very clearly warning for their users about javascript as being a security issue to pay attention to.

  • by MechaStreisand (585905) on Tuesday August 06, 2013 @01:38PM (#44488401)
    Take a look at all the certificate authorities your browser trusts sometime. Any one of those can issue a certificate for ANY website, not just those in the area where that authority. If any ONE of those authorities issues a certificate for, say, the NSA, then they can MITM your communication with any website if they're in a position to do so (and the NSA most definitely is), regardless of that website's original certificate. By default, the browser doesn't give a shit if the certificate changes. All of this makes SSL useless against a determined attacker.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...