Welcome to our New Forums!

Our forums have been upgraded and expanded!

Serious security vulnerability in TOR Browser

Dynasty

New member
Joined
Apr 26, 2022
Messages
14
Something those of you who use tails or TOR browser to access JoS need to know.

Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).

A security vulnerability was discovered in the JavaScript engine of Firefox and Tor Browser. See the Mozilla Foundation Security Advisory 2022-19

This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.

This vulnerability doesn't break the anonymity and encryption of Tor connections.

For example, it is still safe and anonymous to access websites from Tails if you don't share sensitive information with them.

After Tor Browser has been compromised, the only reliable solution is to restart Tails.

Other applications in Tails are not vulnerable. Thunderbird in Tails is not vulnerable because JavaScript is disabled.

The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.

Mozilla is aware of websites exploiting this vulnerability already.

This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier.

From Serious security vulnerability in Tails 5.0
 
Thank you for posting this. It is a bad vulnerability.

In the meantime before the update, people should be careful to stay on trusted websites. Preferably only those that have no thrid-party ads, like the JoS sites, ProtonMail, etc.

And keep in mind that sentence at the end:
"The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level."

Many sites will work without JavaScript.
 
I may not be up-to-date with Tor, as I haven't used it for ages, but I will always maintain -

Tor + javascript enabled = no-tor

no matter what anyone says to me.
 
BlackOnyx8 said:
FancyMancy said:
I may not be up-to-date with Tor, as I haven't used it for ages, but I will always maintain -

Tor + javascript enabled = no-tor

no matter what anyone says to me.
Not necessarily, depends on what you do with it.
Everyone has their own prerogatives. For me, however, I prefer to not put my hand in a paper glove while playing with fire.
 
FancyMancy said:
BlackOnyx8 said:
FancyMancy said:
I may not be up-to-date with Tor, as I haven't used it for ages, but I will always maintain -

Tor + javascript enabled = no-tor

no matter what anyone says to me.
Not necessarily, depends on what you do with it.
Everyone has their own prerogatives. For me, however, I prefer to not put my hand in a paper glove while playing with fire.
You're assuming there can be malicious JavaScript on the sites you browse. If you only browse safe websites like ancient-forums.com or joyofsatan.org, then it shouldn't be a concern. (The only exception might be embedded videos, but NoScript can be configured with a whitelist to block anything except specific sites.)
 
Soaring Eagle 666 [JG said:
" post_id=359063 time=1653709420 user_id=346]
FancyMancy said:
BlackOnyx8 said:
Not necessarily, depends on what you do with it.
Everyone has their own prerogatives. For me, however, I prefer to not put my hand in a paper glove while playing with fire.
You're assuming there can be malicious JavaScript on the sites you browse. If you only browse safe websites like ancient-forums.com or joyofsatan.org, then it shouldn't be a concern. (The only exception might be embedded videos, but NoScript can be configured with a whitelist to block anything except specific sites.)

What the client gets is not necessarily what the server sends.
https://en.wikipedia.org/wiki/Man-in-the-middle_attack
Anyone with access to just one private key from a certificate authority (and there were some leaks) can bypass TLS security.
 
mastermind.... said:
Soaring Eagle 666 [JG said:
" post_id=359063 time=1653709420 user_id=346]
FancyMancy said:
Everyone has their own prerogatives. For me, however, I prefer to not put my hand in a paper glove while playing with fire.
You're assuming there can be malicious JavaScript on the sites you browse. If you only browse safe websites like ancient-forums.com or joyofsatan.org, then it shouldn't be a concern. (The only exception might be embedded videos, but NoScript can be configured with a whitelist to block anything except specific sites.)

What the client gets is not necessarily what the server sends.
https://en.wikipedia.org/wiki/Man-in-the-middle_attack
Anyone with access to just one private key from a certificate authority (and there were some leaks) can bypass TLS security.
That's true. Of course, if that's in your threat model then Tor itself is probably not the best choice.

Note that I didn't say it was impossible, just that it shouldn't be a concern (in my opinion).

An adversary with access to certificate authority keys, and who cares about catching SS, is most likely a government. They have lots of resources, in which case, the Tor network becomes insecure. Anyone who runs enough nodes (like the NSA probably does) can break Tor's anonymity by correlating the traffic (and then demanding VPNs to rat you out, if you use a VPN). But this is still much harder than if you just browse directly.

But thank you for mentioning this. All of these measures do have a trade-off between security and convenience. It's good to mention all the angles so that people can make informed decisions.
 
Soaring Eagle 666 [JG said:
" post_id=360621 time=1653936737 user_id=346]
mastermind.... said:
Soaring Eagle 666 [JG said:
" post_id=359063 time=1653709420 user_id=346]

You're assuming there can be malicious JavaScript on the sites you browse. If you only browse safe websites like ancient-forums.com or joyofsatan.org, then it shouldn't be a concern. (The only exception might be embedded videos, but NoScript can be configured with a whitelist to block anything except specific sites.)

What the client gets is not necessarily what the server sends.
https://en.wikipedia.org/wiki/Man-in-the-middle_attack
Anyone with access to just one private key from a certificate authority (and there were some leaks) can bypass TLS security.
That's true. Of course, if that's in your threat model then Tor itself is probably not the best choice.

Note that I didn't say it was impossible, just that it shouldn't be a concern (in my opinion).

An adversary with access to certificate authority keys, and who cares about catching SS, is most likely a government. They have lots of resources, in which case, the Tor network becomes insecure. Anyone who runs enough nodes (like the NSA probably does) can break Tor's anonymity by correlating the traffic (and then demanding VPNs to rat you out, if you use a VPN). But this is still much harder than if you just browse directly.

But thank you for mentioning this. All of these measures do have a trade-off between security and convenience. It's good to mention all the angles so that people can make informed decisions.

It is in my threat model but I won't discuss ways of mitigating that threat on an open forum, otherwise they'd become useless.
 
Soaring Eagle 666 [JG said:
" post_id=357994 time=1653454325 user_id=346]
Thank you for posting this. It is a bad vulnerability.

In the meantime before the update, people should be careful to stay on trusted websites. Preferably only those that have no thrid-party ads, like the JoS sites, ProtonMail, etc.

And keep in mind that sentence at the end:
"The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level."

Many sites will work without JavaScript.
the thing is,the jos websites(including satanisgod.org and the .co domain version of the forum)have javascript-based captchas themselves
 

Al Jilwah: Chapter IV

"It is my desire that all my followers unite in a bond of unity, lest those who are without prevail against them." - Satan

Back
Top