Tor Warns of Firefox Bug That Threatens User Privacy

[tezza]

The developers at the Tor Project are warning users about a serious flaw in Firefox that's included the latest version of the Tor Browser Bundle that could enable an attacker to gather information about the servers a victim is using, poking a hole in the privacy and anonymity that Tor is designed to provide.

The problem lies in the way that the Firefox makes DNS requests. When a user is using Tor, the browser should make DNS requests through the software's anonymity network and not through the regular Internet. However, Firefox does the opposite when users also have WebSockets enabled in the browser.

"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux)," Tor said in its advisory to users.

The Tor Project is working on a fix for the vulnerability, but there isn't one available yet. The Tor developers recommend that users in the interim go in and disable WebSockets altogether. You can do that through these steps, Tor said:

• Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
• Type “websocket” (again, without the quotes) into the search bar that appears below "about:config".
• Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.

https://threatpost.c...-privacy-050312

[johndoe]

slight modification, just search for the exact phrase instead, like so

Type “network.websocket.enabled” (again, without the quotes) into the search bar that appears below "about:config".

[Nemesis]

the new update brings "tor browser" a modded version of firefox. dunno if its just a name and logo change or there is more under the hood?