A security researcher named Dr. Neal Krawetz has today published a second of two zero-day bugs in the Tor browser and network. These can be exploited by the oppressive regime for blocking users in using Tor. He also said three more zero-day bugs will be disclosed soon!
Tor Zero-day Bugs Exposed!
I'm giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything.
I'm holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days.
— Dr. Neal Krawetz (@hackerfactor) June 4, 2020
Dr Neal Krawetz is a security researcher and himself operating few Tor nodes in the network. He has a long history of reporting hugs to the Tor project, and he’s now up with two zero-day bugs in the Tor network and its browser. He revealed to be disclosing these bugs now as Tor failed to patch them even after reporting repeatedly for a long time.
The Tor project was considered one of the best practices of the internet since it provides private browsing and secure communications over the internet without being snooped. While this is true to an extent, exploiting any loopholes in this system can land offensive users in trouble. And this is set to happen if the bugs in question are exploited.
As per Neal Krawetz’s posts, Tor connections can be tracked and blocked by ISPs and companies easily, by scanning the network connections for a “Distinct Packet Signature“. This is unique to Tor traffic and can be tracked whenever a user connects to the Tor network! While this can detect direct connections, the second bug can detect connections indirectly.
Here, the oppressors can check for TCP packets generated whenever a user connects to the Tor Bridge, which is like a proxy like connection used for connecting to the Tor network if the user is blocked by ISPs when connecting directly to the network.
Both these issues were reported to the Tor project by Neal Krawetz for so long, as he claims. And he fears these can be exploited to block connections by authorities in oppressed regimes. Thus, after losing trust in Tor’s team for solving these issues even after knowing, Neal has finally published them and promises to come with three more soon!
