"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.
Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."
http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
https://web.archive.org/web/20161130072235/http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in Web pages served by a service known as Freedom Hosting.
http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://web.archive.org/web/20161130031656/http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://web.archive.org/web/20161130003501/https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
[Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @11:31AM
NoScript has javascript globally enabled, all the media plugins are on, etc.
It's a huge security clusterfuck. The only reason I use it is for the torbutton current connection hop list.
It is rather illuminating when all your hops are showing up through just US, UK, France, etc, with no other country's hops included (apparently tor doesn't filter nodes by both netmasks.and geoip, so you can end up entirely over single country connections that may make it easier to snoop on your browsing history.
(Score: 2) by janrinok on Wednesday November 30 2016, @12:27PM
The argument goes that, if you disable javascript, then your browser appears far more unique than everyone else's browser. This means that it is easier to link a specific user (while not necessarily yet knowing who he or she is) to a series of sites or activity because their browser is unique. Subsequently, if the browser is identified, then your history is more easily recoverable.
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @12:37PM
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @01:05PM
I'm pretty sure it is very detectable if your script that should generate certain server requests doesn't generate those server requests.
(Score: 4, Informative) by janrinok on Wednesday November 30 2016, @02:03PM
So, although our own site does not need any other information to display correctly on your device, some sites rely on browser-provided data to give you the best user experience. Such data might include your screen size and resolution, default languages and/or fonts, etc. If you are not convinced, take a look at this site which analyses the data that your browser is currently pushing out [amiunique.org]. If I disable NoScript then I receive the following string on one of my boxes:
(Score: 0) by Anonymous Coward on Thursday December 01 2016, @09:14AM
Well, I'm unique at a similar level (unique among the 255876 collected so far), but looking on the breakdown it's mostly because of my language preferences. 18.27% have no JS, but 0.1% share my language preferences. Then there's my User Agent, shared by only 0.48%. I guess those two already make me unique.
Well, I wasn't aware of that; I guess I'll edit my language preferences and install an User Agent changer.
(Score: 0) by Anonymous Coward on Thursday December 01 2016, @11:18AM
I tried Tor Browser with JavaScript disabled. That site said "But only 1492 browsers out of the 256023 observed browsers (0.58 %) have exactly the same fingerprint as yours."
(Score: 3, Insightful) by FatPhil on Wednesday November 30 2016, @01:28PM
The solution to that problem is not to discourage people from doing it, but to encourage more people to do it.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves