from the whoever-thought-that-javascript-was-a-good-idea? dept.
https://tails.boum.org/security/prototype_pollution/index.en.html
"Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.
We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).
A security vulnerability was discovered in the JavaScript engine of Firefox and Tor Browser. See the Mozilla Foundation Security Advisory[1] 2022-19
This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.
For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.
This vulnerability doesn't break the anonymity and encryption of Tor connections.
For example, it is still safe and anonymous to access websites from Tails if you don't share sensitive information with them.
After Tor Browser has been compromised, the only reliable solution is to restart Tails.
Other applications in Tails are not vulnerable. Thunderbird in Tails is not vulnerable because JavaScript is disabled.
The Safest security level of Tor Browser[2] is not affected because JavaScript is disabled at this security level.
Mozilla is aware of websites exploiting this vulnerability already.
This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier."
(Score: 2, Interesting) by janrinok on Wednesday May 25 2022, @06:38AM
(Score: 1, Informative) by Anonymous Coward on Wednesday May 25 2022, @06:41AM (1 child)
The original submission included the following links:
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/ [mozilla.org]
[2] https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html#security-level [boum.org]
* Discovered this information at: https://old.reddit.com/r/tails/comments/uwtsf6/serious_security_vulnerability_in_tails_50_tor/ [reddit.com]
(Score: 5, Informative) by janrinok on Wednesday May 25 2022, @07:23AM
We have to cut submissions down to comply with the legalities of 'Fair Use'. People are still expected to read TFA if they want to see everything.
(Score: 4, Touché) by maxwell demon on Wednesday May 25 2022, @06:53AM (4 children)
If you disable JavaScript, no malicious JavaScript will be executed.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by Anonymous Coward on Wednesday May 25 2022, @07:01AM (3 children)
Sadly, a majority of Internet users feel they must have JavaScript enabled, as disabling it fscks up their browsing "experience." You can't sign up for many free e-mail addresses and accounts of other nature all across the web without it, for one example. A lot of sites require you to either sign in or enable JavaScript to even post!
Thankfully SN is so great where I can surf it with JS disabled and easily expand threads to see comments as an AC! No forced registrations to access content.
(Score: 4, Interesting) by Anonymous Coward on Wednesday May 25 2022, @07:44PM (2 children)
yes; this is exactly why I, also, am here.
I live in a repressive regime. Talking publicly about some topics is unsafe.
SN over TOR is my only english geek/nerd community, because I can do so relatively safely.
Thanks all of you lentils! And to the volunteer staff!
(Score: 2) by janrinok on Thursday May 26 2022, @05:45AM
(Score: 0) by Anonymous Coward on Thursday May 26 2022, @03:08PM
I hate to tell you this but unmasking TOR users isn’t exactly difficult for repressive regimes. Neither is it for users of the hidden service for SN, if it is even running anymore.
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 25 2022, @07:15AM
I thought it's no news that the tor browser is vulnerable and always has been, given how buggy it is.
(Score: 2, Interesting) by Anonymous Coward on Wednesday May 25 2022, @07:18AM (4 children)
"Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information."
Wow - that's a long time for such a serious bug to remain active, undetected. I wonder how many people have been pwned by this vuln.
(Score: 2, Insightful) by shrewdsheep on Wednesday May 25 2022, @09:09AM (3 children)
If I were in need of running Tails, I would visit websites from a small set of bookmarks only, restarting the browser each time, with complete wiping of cookies, forms, history on shutdown of the browser. Definitely, I would only enable JS for sites absolutely needing it. I guess anyone really being stalked by secret services would take such precautions (or would be arrested already), so probably not much harm done for this group. People thinking they are save because tor and tails, just randomly visiting dubious websites are the ones being pawnd.
(Score: 3, Insightful) by inertnet on Wednesday May 25 2022, @10:16AM (2 children)
If you want to maintain a separate identity, in addition you should use a (separate) VPN and never use the email, logins or passwords that you use in your everyday browsing.
(Score: 5, Insightful) by maxwell demon on Wednesday May 25 2022, @02:48PM (1 child)
Indeed, for maximal security you should run your second identity from a virtual machine (or a separate physical machine), so that you never accidentally connect through the VPN from something that might be identifiable (e.g. your operating system checking for updates sometimes directly over the internet, sometimes through the VPN).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by legont on Thursday May 26 2022, @11:18PM
Well, here is what I do on my laptop.
The main OS is Windows. That's what I show to border agents. It is gently used so looks plausible.
The real life is in VMs. I run 3-4.
One for my regular life. The goal here is to foul advertisers and such. If I really need to access a site that does insists on all my defenses down I do it in Windows above.
Another one is for money. I work only on my financial needs from here.
The third one is for work. However, lately the office made it hard to work from Linux so screw them - I use the Windows. Makes it even more plausible for the border agents.
The last one is for things I suspect might be illegal at the coordinates I am at the moment. I fire up a new VM and destroy it after the session.
The setup is a routine for years and does not have that much of an overhead - not as bad as using condoms if you ask me.
My biggest issue at the moment is VPNs. Many large organizations block VPN IPs. They also block geography they find undesirable for whatever reasons. So far I did not get into a situation where I am blocked based on where I am and on VPN's I am using, but this day is coming.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 1, Informative) by Anonymous Coward on Wednesday May 25 2022, @09:41AM (1 child)
Security Vulnerability in the Tails OS (July 23, 2014)
https://www.schneier.com/blog/archives/2014/07/security_vulner_4.html [schneier.com]
https://www.theverge.com/2014/7/22/5927917/the-worlds-most-secure-os-may-have-a-serious-problem [theverge.com]
(Score: 0) by Anonymous Coward on Wednesday May 25 2022, @09:49AM
Related, from 2014:
----- https://blog.exodusintel.com/2014/07/23/silverbullets_and_fairytails/ [exodusintel.com]
See also:
- https://blog.torproject.org/recent-black-hat-2014-talk-cancellation/ [torproject.org]
- https://blog.torproject.org/tor-security-advisory-relay-early-traffic-confirmation-attack/ [torproject.org]
(Score: 2) by KritonK on Wednesday May 25 2022, @10:08AM (1 child)
This sounds like a bug in Firefox, which has been inherited by TOR browser, which is used by Tails, and not like a bug in Tails per se.
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 25 2022, @10:25AM
First line of the story quote:
That TailsOS includes Tor Browser in it's ISO/IMG files is their decision. It is a part of TailsOS. They could use another browser if they were so inclined but they don't. (excluding the "unsafe browser)
There have been other issues, too, such as in 2020:
Facebook Helped Develop a Tails Exploit
https://www.schneier.com/blog/archives/2020/06/facebook_helped.html [schneier.com]
I've long said TailsOS should be forked and made into something lightweight without all of the bloat, especially the DE chosen. XFCE is easily the better choice. Do you really need a video player and all of the other possible attack surfaces in such a distro? Certainly not!