On Friday, June 28 an anonymous individual contacted Tor developers over Twitterclaiming to have found a vulnerability in the way microdescriptors are validated by Tor clients which would allow “determination of the source and end-point of a given [victim’s] tor connection with little more than a couple relays and some rogue directory authorities [both controlled by the adversary].”
Detailed testing by Nick Mathewson could not reproduce the behavior in the Tor client that was claimed to enable such an attack. After a lengthy Twitter debate with Mathewson, the reporter disappeared, no bugs have been filed, and it appears the vulnerability was nothing of the sort. Without being able to verify the existence of the claimed vulnerability, Mathewson concluded that the reporter’s described attack was equivalent “at worst… to the ‘request filtering’ attack… which has defenses”.
The issue was also mentioned (and likewise dismissed) on the security mailing list, Full Disclosure.
For anyone interested in reporting vulnerabilities in Tor software, please avoid following that example. Until a process gets documented, the best way to report the discovery of a vulnerability is to get in touch with one of the Tor core developers using encrypted email.
This issue of Tor Weekly News has been assembled by Lunar, dope457, moskvax, Mike Perry, Nick Mathewson, mttp, and luttigdev.
Want to continue reading TWN? Please help us create this newsletter. We still need more volunteer writers who watch the Tor community and report about what is going on. Please see the project page and write down your name if you want to get involved!
No comments:
Post a Comment