Firefox security bug (proxy-bypass) in current TBBs

by rransom | May 2, 2012

A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

  1. Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
  2. Type “websocket” (again, without the quotes) into the search bar that appears below "about:config".
  3. Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.

See Tor bug 5741 for more details. We are currently working on new bundles with a better fix.

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

May 02, 2012

Permalink

Oh dear :(

Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?

If yes, I may be in trouble.

@anon, AFAIK Twitter does not use web sockets, so even if you enabled Javascript on Twitter it should not be an issue. I could be wrong or there could be other issues.

No, you shouldn't be in trouble.

All that was/is leaked is your computer name-resolving twitter.com.
There is no information contained which account you accessed.

As I see it, this "bug" is only of real concern for people in countries where access to certain domains is illegal/suspicious in itself.
So, this report should be translated to Farsi and the like ASAP.

That is incorrect. A malicious site or tor exit node could have your browser resolve a uniquely-identifying subdomain. For example, if your twitter handle is "bradleymanning", twitter could have you query "bradleymanning.attack.twitter.com". Twitter's DNS server would then receive that query coming from your ISP's DNS server or worse, from your IP. At best, it would only learn what ISP you are using, which is bad.

Can you name me one country "where access to certain domains" is NOT "illegal/suspicious in itself." ?

Granted, it is a matter of degree and everything is relative, but still, your statement is rather incredible.

Anonymous (not verified) said:

May 02, 2012

Permalink

As long as you weren't doing anything illegal in the United States you should be fine. Tor has never been about hiding illegal activity. And since Twitter is in the US and doesn't respond to foreign court orders… well…

Ah right, maybe Anonymous "Oh dear" is a fucking communist, or even a dirty whistle blower like Maning! Brave, law abide citizens haven't got anything, that must be hidden, so maybe you want to forbid TOR, Mr. McCarthy?

Or maybe you just like having the government know absolutly everything you're doing whenever they like and hate the right to privacy? Fascist.

Anonymous (not verified) said:

May 02, 2012

Permalink

Everything I do in the US is illegal, FINE. Every word I use, every truth I tell, it is all illegal and my keyboard is typing out the words MAGIC LANTERN...So what are you going to do for me? Under 18! Or do I start praying 4 encryption in photos that isn't a cow jumping over the moon?

For those following along and want to know the details of the Firefox bug, see https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/curren…

Quoting the explanation in the patch:
>This is due to an improper implementation of the WebSocket spec by Mozilla.
>
>"There MUST be no more than one connection in a CONNECTING state. If multiple
>connections to the same IP address are attempted simultaneously, the client
>MUST serialize them so that there is no more than one connection at a time
>running through the following steps.
>
>If the client cannot determine the IP address of the remote host (for
>example, because all communication is being done through a proxy server that
>performs DNS queries itself), then the client MUST assume for the purposes of
>this step that each host name refers to a distinct remote host,"
>
>https://tools.ietf.org/html/rfc6455#page-15
>
>They implmented the first paragraph, but not the second...

Anonymous (not verified) said:

May 02, 2012

Permalink

It's not revealing your IP address to the destination server. It only reveals the fact that you are trying to communicate to a certain HOST (such as twitter.com) to the name server you use. None of the data you exchange with the host is revealed.

Tor CAN be used with Opera. If you use the easy Firefox bundles, you just have to copy the proxy settings from FF/Aurora into Opera instead... and then take all the usual precautions to make sure no scripts or plugins cause your browser to leak data.

There was "OperaTor", which was like a TBB but with Opera instead of Firefox. But it came with a launcher that wasn't open source and that obviously raised many people's suspicions.

Tor does work with any browser that can connect to it via socks, either directly or with a socks proxy. Making another browser work isn't the problem. The problems are:
Making certain that all of the traffic (including DNS) also goes thru Tor only.
Making sure that your browser, extensions, plugins, integrated apps, etc are not leaking identifiable or trackable data.

It can be done. I've used Tor with SeaMonkey for a long time, but there's much more to do than just connecting the apps together. Flash, java, and javascript can all reveal what you want private. You need control over all the traffic, aka specific firewall rules with tight control over loopback traffic.
Rick

Anonymous (not verified) said:

May 03, 2012

Permalink

So what if anyone wants to know what am doing I don't care. Not doing anything I shouldn't be so it doesn't matter! You lot who care are either doing something illegal or breaking some rules somewhere. Skitzy or what!!!!

BTW I'm sitting on Facebook, Twitter, YouPorn and having some breakfast with a cuppa and a kitkat, problem???

So then I take it you would have no problem if the government decided to set-up surveillance cameras in your bedroom and bathroom.

After all, if you're not doing anything you shouldn't be, what should be the concern, right?

No, it was simply taking the poster's argument to its logical conclusion.

He argued that privacy is only of concern to people doing wrong.

(Never mind the subjectivity in defining what is "wrong"...)

so u WANT places like those and like google selling info about u to ppl u dont know for profit? sure targetted ads CAN be convenient, but are mostly irrelevant and annoying to me. and what if some hacker sets up a 'legit' advertising company just to harvest the free info u are giving out? what might THEY do b4 google etc find out and cut the fake company out of the loop?

Anonymous (not verified) said:

May 03, 2012

Permalink

Should I do it on my Obfsproxy version? And Could I change some components for this version, For example could I change the firefox in to the upgrade one? Hope you can tell me Thank you!

Anonymous (not verified) said:

May 03, 2012

Permalink

Fork latest Firefox 3 which does not know web sockets.
Then go along with the Mozilla patches as far as they apply.

In the long term this could be a Tor browser which requires less work
and comes without unwanted surprises.

And a Tor browser that doesn't work with sites that require web sockets, or any other new more recently standardized feature. A browser that only works on some sites isn't that useful to most people.

We have this scenario already.
Many sites do not work without JavaScript, some sites do not work without Flash.
And from the postings here and on the mailing lists we know a lot of Tor users
have disabled Javascript and even more do not use Flash.

I think many Tor users are putting security before convenience
and humoring the quirks of some webmasters.
As a result there are already a lot of sites that do not work for Tor users.
And for me these are those I can easily do without.

Anonymous (not verified) said:

May 03, 2012

Permalink

To prevent DNS leaks from any application you can enable Tor's own DNS server:

DNSPort 53

Then change your network DNS settings to always use that instead:

127.0.0.1

Furthermore you should block outgoing DNS request (port 53) with your firewall, since some applications will ignore your own DNS settings.

I'm sure there's a guide for it somewhere, otherwise it's in the documentations.

Anonymous (not verified) said:

May 03, 2012

Permalink

Hi I have 3 questions.

1) Is this bug also present in version 2.2.35-8 or former versions ? Or is it only present in 2.2.35-9?

2) Is this bug irrelevant if JavaScript is Disabled in Firefox?

3) Can someone, like for example arma, please explain what this bug means in really simple layman terms? What has been exposed? What is at risk? Has IP address of users been exposed? or can websites only hypothetically link visit of Tor users to their real IP address, through timing/statistics? Is there any way websites like Google,Twitter,Ebay... got hold of the real identity of Tor users, because of this bug?

To answer question #3

If the DNS server you're using is keeping logs, then those logs will show at what time your computer/IP-address tried to resolve/access a domain name.

In the following examples the bold parts are what the logs would show:

http://google.com/?search=something
http://twitter.com/some_person/some_status
http://ocewjwkdco.tudasnich.de/some_post

As you can see the logs shows which domain/site you visit, but NOT which page, or protocol, or port.

They also can't see the traffic between the site and your computer, because that goes through Tor, even with this bug present.

2)
As far as I know, web sockets require JavaScript, so if JavaScript is disabled this bug will not affect you.

3)
Your ISP will possibly know you have visited certain sites using Tor, but not more than that you have visited the sites.

It may be possible to link a Tor user to your IP address through timing analysis because of this. This requires that your ISP cooperates to do so, and because this only happens for sites with web sockets, there is limited amount of information, so will be hard.

But now when this bug is known to the public, it may be exploited to make it much easier to track users, so from this point you want to protect yourself.

Anonymous (not verified) said:

May 03, 2012

Permalink

please please pleassee open a forum. so many unanswered questions in the comment sections of the blog posts. In a forum users could search for similar questions and see related answers.

Please do it soon arma,mikeperry,ioerror, we need a forum!!

Amen to that!

I just cannot understand the logic in offering individual email and even *telephone* support* but not a forum.

By individual email and telephone, you are undoubtedly answering many of the same questions repeatedly, many times over. How can this be an efficient use of limited time and resources?

"In a forum users could search for similar questions and see related answers."

Yes, exactly.

As I wrote in a previous post to the Tor Blog:

I appreciate your offering support by email and telephone. I am rather surprised and perplexed, however, that you would offer such direct, one-to-one support while apparently not offering a public support forum. I cannot imagine how this can be cost-effective for you. Surely, you must receive many repeat questions. If people were directed to a forum and at least strongly encouraged-- if not actually _required_-- to search for answers to their questions before making a new post, it would no doubt save you much unnecessary time and effort. Additionally, in a forum, contributing members of the public would invariably at least sometimes answer questions accurately, and then you could simply post to corroborate and verify their answers.

Surely, you must have considered these points by now.

If personal email and telephone support are still going to be offered, then whererever the telephone number and email address is listed, there should appear alongside them a notice urging people to first search the forum and preferably, if at all possible, Google as well, for an answer before emailing or calling. (And explain the reality of limited, overstretched resources, non-profit, volunteer nature, etc.,)

*What other completely free product offers completely free telephone support? Unheard of, as far as I'm aware.

Well, then...

First of all, I would ask: instead of ignoring at least 90% of the legitimate questions that get posted here, why don't the people who run this blog direct people to those channels?

Second, the points made above regarding efficiency and cost-effectiveness hold true for IRC as well. Only a relative few number of people can be helped at any given time, and unlike a forum, others can't benefit from the time and effort that was spent. The answers basically vanish into the ether after a very short time.

Thirdly, a forum is far more universally, easily and anonymously accesible than any type of mailing list. All one needs to access a forum is access to the web. A mailing list requires a legitimate email address to subscribe and then repeated, regular access to the email account that was used. This can pose a number of challenges and hurdles with respect to anonymity as well as security.

I agree. I think it's utterly disrespectful to all Tor users not having a forum. A forum is the most fundamental level of support of any good software.

Anonymous (not verified) said:

May 03, 2012

Permalink

Can this issue be fairly classified as a cost of Tor Project buying into the rapid release cycle of FF?

Anonymous (not verified) said:

May 04, 2012

Permalink

the great thing about the internets is if you want a forum, its easy to set one up yourself,....
what with all the freehosting and free forum software around

Nothing is truly free, esp. any kind of service. No one offers anything for "free" without some reason, some way that it benefits them.

The lure of being "free" makes the assault on privacy by the likes of Google, Yahoo, Facebook, etc, et al, especially insidious.

Anonymous (not verified) said:

May 04, 2012

Permalink

Folks, isn't it about time to stop pretending that these browser bundles can ever work? And the same goes for TAILS in its present form.

Big, complex programs like browsers have killer bugs. They always have, they always will, and the Bad Guys WILL know about the bugs before you do.

If you let something that complicated talk to the net, EVEN THROUGH TOR, you CAN'T GIVE IT ANY SECRETS. As long as the browser, or any program that can make a net connection, has any ability to get the user's name, IP address, MAC address, DNS settings, or any of the thousand other pieces of PII sitting around on the computer, you have an exposure you can't fix.

So long as you rely on patching the bugs, and so long as you rely on bandaids like Torbutton, your users will be catchable. You're lucky it hasn't happened yet, that you know of, on a large scale.

PUT THE FREAKING BROWSER IN A SANDBOX, ALREADY. Probably put it in its own VM, and make damned sure that that VM can't see anything that identifies the computer.

Otherwise you're just playing dangerous games.

"And the same goes for TAILS in its present form."

How so?

If TAILS is used on a system from which any drives containing PII have been physically disconnected, and the MAC has been spoofed...

What better sandboxing could there be?

hey you don't need a VM to avoid websocket (and similar) problems,
you can use 2 machine:

PC1 running Tor (/etc/init.d/tor start) and ssh

PC2 without a default route ( route del -net 0.0.0.0 )

PC2 connect to port 9050 of PC1 via an ssh tunnel

PC2 must have polipo or privoxy installed

PC2 can connect to the local proxy ( the one on 127.0.0.1 ) witch will retrieve data reaching the Tor instance running on PC1, through the sshtunnel.

PC2 could also have the websocket misconfiguration ( aka "enabled" ) and this will pose no threats because of the absence of a deafult route.

Any remote exploit against the browser, or against any of the other programs running in TAILS, allows the remote party to break out and run code on the machine running TAILS, and once that happens there's no other layer of protection.

The machine running TAILS still knows its own IP address, knows the MAC addresses of other devices on the LAN, can try to hack into them. If it's behind NAT, it can use various NAT traversal tricks to find the real IP address of the NAT router. It may need to get root to get around the iptables, but root isn't that hard to get when you have all of Linux available to attack, and last time I looked the iptables had "local access" exceptions.

You can also usually get the hardware MAC of a "MAC-changed" interface, for that matter. Not to mention the other hardware serial numbers you can get if you look around in /sys.

Anonymous (not verified) said:

May 04, 2012

Permalink

hi, i'm talking to you from "tor-browser-2.2.35-11_en-US" for windows

the value for "network.websocket.enabled" - is true

is this only me, i have set it to false.
thank you

Anonymous (not verified) said:

May 08, 2012

Permalink

I am using ProxyMob with firefox and orbot and it is not letting me use Tor as a SOCKS proxy and is instead using it asan http proxy which I am writing from now.

Anonymous (not verified) said:

May 10, 2012

Permalink

This isn't good. This isn't good at all. What about all whistle blowers who could be putting their lives in danger? Does this bug endanger them even more?

Anonymous (not verified) said:

June 03, 2012

Permalink

hi i just down loaded firefox beta wen not using tor is it possible to disable the google seach engine i put duckduckgo on but wen re booted google was back n i couldnt move it im no tech head but google just gives me the creeps n i want it off my mac