I'm giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything.— Dr. Neal Krawetz (@hackerfactor) June 4, 2020
I'm holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days.
A security researcher has published over the past week technical information on two vulnerabilities affecting the Tor Network and the Tor browser.
Dr. Neal Krawetz said in his blog posts last week and today that he had been releasing details on the two days following the repeated failure of the Tor project to address several security issues he reported in the past few years.
The researchers also promised that at least three other Tor zero days would be revealed including one that could reveal the Tor servers' actual IP address.
The Tor Project did not address the request for comment and provided additional information on his position with regard to a comment on Dr. Krawetz 's intentions.
The very first Tor zero day of last week was revealed by Dr. Krawetz, who himself operate several Tor nodes and has a long history of finding and reporting Tor bugs.
In a blog on 23 July, the researcher described how companies and internet service providers are able to block Tor connectivity by searching for "a separate packet signature" unique to Tor traffic network connections.
The packet could be used as a way to block Tor connections and effectively ban Tor completely – an issue that is highly likely to abuse oppressive regimes.
Dr. Krawetz revealed a second issue earlier today in a blog post shared with ZDNet. Like the first, this one allows Tor traffic to be detected by network operators.
However, although direct connections to the Tor network could be detected on the first zero day (to Tor Guards Nodes), indirect ones may be used on the second day.
These are connections to a special type of Tor connection which can be used to stop direct entry into the Tor network by companies and ISPs.
Tor bridges act as proxy points and relay user-to-Tor connections. As Tor servers are sensitive it is constantly updated to make it harder for ISPs to block the list of Tor bridges.
But Dr. Krawetz says the use of a similar tracking technique for specific TCP packets to easily detect the links to door bridges.
"There's now every thing you need between my previous blog post and this one to implement the [network blocking Tor] policy by means of an inalienable packet inspection system in real time. You can stop all users from connecting to the Tor network directly or using a bridge," said Krawetz.
THE TOR PROJECT SECURITY STANCE DISSATISFACTION TOWARDS This is because he does not think that the Tor Project takes the safety of their networks, tools and users seriously enough. Dr. Krawetz publishes these null days.
In an attempt to report bugs in the Tor Project, the security investigator only mentions previous incidents to tell them that they were aware of the problem, that they were working on a fix but never that fix.