Mozilla is Fixing a Major Flaw in Firefox....

Mozilla also stated that the vulnerability can also be used to unmask Tor users :-(

https://www.deepdotweb.com/2016/09/28/mozilla-is-fixing-a-major-flaw-in-firefox/


Comments


[12 Points] ForLol_Serious:

Can they still unmask me if I have 2 tor routers set up?


[7 Points] elfer90:

this type of attack has been around for years... there is a large list of software that can be exploited in similar ways.. i don't trust auto-updates..


[4 Points] sapiophile:

Already fixed, and not that big a deal to begin with (in my opinion): https://www.reddit.com/r/DarkNetMarkets/comments/53v12m/worries_or_no_worries/d7wn24o

First of all, this is one of the main things that the latest version of Tor Browser (and Tails) fixes. So it's no longer an issue if you're using up-to-date software.

It's not great, but it's not the worst, really. The attack requires controlling an HTTPS secret key, either the existing one for addons.mozilla.org or for a valid Certificate Authority. That's a fairly tall order, and the tallness of that order basically underpins all the secure web traffic on the planet, so there are some high standards around that sort of thing.

That said, a state-level adversary could feasibly control a CA signing certificate, and indeed, there's a Post Office in China that's a valid CA.

It's never good to have executable code downloading and running in an application invisibly, but if you're gonna do it, having it be signed by a valid, authenticated certificate is not a terrible way to go. I can understand, though, how this standard isn't necessarily high enough for Tor Browser, and so it has now been elevated. Cool.

Was this vector actually used against Tor users? Who knows. We have no evidence to suggest that it was. It was, unfortunately, out there for a (VERY motivated/resourceful) adversary to use for a few years, just like many, many, many other 0days that we find out about all the time. I'd say this news isn't much more noteworthy than any of the reports about vulnerabilities that have been patched in Firefox recently, or the like. But of course it's always good to have some food for thought.


[1 Points] BudgetBuyer:

What about Virtual Machine > VPN > Tor?