Due to these errors, Internet providers could block Tor connections. The Tor project denies that researcher Neal Krawetz’s version is true.
Connections to the privacy-focused browser Tor could be at risk due to two vulnerabilities. In recent days, researcher Neal Krawetz posted a report on these problems.
Krawetz runs Tor nodes and has a track record as a vulnerability researcher on the network. In his report, he exposed two errors that could allow network operators to detect traffic and block user connections to Tor.
On July 23rd, the researcher referred to the first vulnerability. In his text, Krawetz described how Internet providers could exploit a Tor vulnerability to prevent users from connecting through the browser, making it possible to censor connections to the network.
According to his explanation, it is possible to scan connections and detect a “different package signature”, corresponding to the Tor connections. With that information, service providers or governments could block Tor connections, according to Krawetz.
Krawetz reported the second vulnerability on July 30th, in a new post. In this text, the cybersecurity specialist exposed another error that would allow detecting connections to Tor.
Unlike the first case, this second vulnerability would help detect traffic on the browser, but through indirect connections. Specifically, the vulnerability would affect users connecting via Tor bridges, a mechanism to bypass blocks to access the browser.
Request for Attention to Vulnerabilities in Tor
The researcher alleges that these are two day-0 vulnerabilities not previously detected or without an immediate solution by the Tor project. Krawetz said that it is not the first time that he has made a report on vulnerabilities that the developers of the browser do not address.
Tor’s response denies the researcher’s version. In a statement via Twitter, the project said that they are not unaware of those vulnerabilities. They also stated that this problem has not gone unnoticed in their efforts to improve the system.
Concerning the vulnerability of bridge connections, Tor explained that exploiting that error would not be as easy or as effective as Krawetz’s post suggests. Besides, the investigator presents in the statement evidence that does not support his statements, according to Tor.
Finally, from the privacy-focused browser project, Tor said that it would be grateful for any initiative that allows detecting errors in its system. Concerning Krawetz’s reports, they say that they are variables of known vulnerabilities, so it would be wrong to consider them as day-0 errors.
Privacy is one of the constant concerns among bitcoiners and cryptocurrency enthusiasts. For this reason, the Tor project receives much of its support from this community. The non-profit project itself has exposed that 20% of the donations that they receive are in cryptocurrencies.
To conclude, vulnerability researchers must continue to provide input to privacy services. Likewise, it is positive that the latter express their points of view in this regard to accept those contributions that help them improve.
By Alexander Salazar