After recent revelations that the Tor browser was not as secure as users had previously thought, many cynics came out to say, “I told you so.”
This message seemed to take the internet security world by storm in the last week, following the detection of a vulnerability in Tor that has been dubbed “TorMoil.”
On the face of it, the development may not sound so serious, since those using Windows OS may not be facing any risks.
It has been reported that Linux and Mac OS are the ones who could find that their systems could bypass the Tor browser and connect to the remote host. This vulnerability has been noticed when users type specific links, like the ones that start with “file://.”
Will this open up the avenue for law enforcement agencies to crack the anonymity browser and go after dark web traders in drugs, arms and stolen valuables?
It may be too early to tell but once a vulnerability has been exposed, it does encourage the interested parties to dig some more.
Security Community Spots the Bug
We Are Segment, the security firm that first detected this Tor vulnerability, made a record that they reported the bug to the browser’s developers at the Tor Project.
They believe the bug owes its origins to Firefox, the browser on which Tor is built. They also assert that the issue is specific to the file extensions described above.
The information then spread through blog posts and other means to alert users of Mac and Linux operating systems, urging them to update immediately.
The developers at Tor have found a way to help plug the leak of IP addresses, but this could only be a temporary solution.
The Tor browser may revisit its security levels in the coming days to institute long-term fixes to any more flaws.
No Damage Done
There has been a statement from the Tor Project that according to their assessment, it is possible that IP addresses could be leaked after users of affected Mac or Linux devices click on file:// links.
The Tor Project also stated that the vulnerability has not been seen in other versions of Tor including “Tails,” which is already up and running, along with another version that’s under testing on the Windows platform.
But in this age of technology, there is really no guarantee that someone cannot find a way to break into a system, however secure you may feel your system or software to be.
The Good and the Bad of the Tor Environment
There is no denying the fact that the security and end-to-end encryption Tor is known for will also provide a safe haven for unscrupulous traders who use it to sell all kinds of clandestine items and services without being traced.
But it’s also worth remembering that there are others who use the browser for genuine purposes as well.
One community is the fourth estate; investigative journalists and whistleblowers of the WikiLeaks variety, who expose corruption and wrongdoings in government and corporate power structures.
They use the Tor browser to work on their cases without surveillance from the opposing parties they’re investigating.
There are other such users for whom the anonymity is essential for a good cause, including people in oppressive regimes who need access to global information and communication without censorship.
It is recommended that Tor users also use a VPN (Virtual Private Network) to carry out their activities, no matter what they are.
This way, anytime there is a vulnerability such as this one with TorMoil, users will be protected twofold with an extra layer of security in case there’s a leak of their IP address.
What’s to Come
After discovering the TorMoil issue with the Tor browser, We Are Segment chose to alert the Tor developers of the bug first before they released the update.
However, the matter was not kept a secret and through blogposts and other means, it has come into the public domain.
And those using Mac OS or Linux would have, by now, updated their browsers to make sure their IP addresses remained safe and secure.
Tor has announced its latest version of the 0.3.2.4-alpha in the 0.3.2.x series, which it states will protect users from all kinds of vulnerabilities.
The users need to trust this to carry on what they are doing, good or bad.
Latest posts by Richard (see all)
- Tor Project Discontinues Supporting Tor Messenger - April 19, 2018
- VPN Browser Extensions for Chrome Leak Users’ DNS - April 19, 2018
- Backpage Seized by Feds, Founders Facing Criminal Charges - April 14, 2018