Linux Apps

Tor Browser 11.0.2 released. Tor site blocking extension. Possible attacks on Tor

Share on Facebook Share on Twitter Pinterest LinkedIn Tumblr

The release of the specialized browser Tor Browser 11.0.2 , focused on ensuring anonymity, security and privacy, is presented . When using the Tor Browser, all traffic is redirected only through the Tor network, and it is impossible to contact directly through the standard network connection of the current system, which does not allow tracing the user’s real IP address (in the event of a browser hacking, attackers can gain access to the system parameters of the network, so for a complete to block potential leaks, use products such as Whonix ). Tor Browser builds are prepared for Linux, Windows and macOS.

For additional protection, the Tor Browser includes the HTTPS Everywhere add-on , which allows you to use traffic encryption on all sites where possible. To reduce the threat from attacks using JavaScript and block plugins by default, a NoScript add-on is included… To combat blocking and traffic inspection, alternative transports are used. To protect against highlighting visitor-specific features, the APIs WebGL, WebGL2, WebAudio, Social, SpeechSynthesis, Touch, AudioContext, HTMLMediaElement, Mediastream, Canvas, SharedWorker, WebAudio, Permissions, MediaDevices.enumerateDevices and screen.orientation are disabled or limited, and are also disabled telemetry sending tools, Pocket, Reader View, HTTP Alternative-Services, MozTCPSocket, “link rel = preconnect”, libmdns modified.

The new version synchronizes with the codebase of the Firefox 91.4.0 release , which fixes 15 vulnerabilities , 10 of which are marked as dangerous. 7 vulnerabilities are caused by memory problems, such as buffer overflows and access to already freed memory areas, and can potentially lead to the execution of an attacker’s code when opening specially designed pages. Removed some ttf fonts from the build for Linux platform, the use of which led to the violation of text rendering in interface elements in Fedora Linux. Disabled setting “network.proxy.allow_bypass”, which controls the activity of protection against incorrect useAPI Proxy add-ons. For the obfs4 transport, the new ” deusexmachina ” gateway is enabled by default .

Meanwhile, the story continues with the blocking of Tor in the Russian Federation. Roskomnadzor changed the mask of blocked domains in the register of prohibited sites from “” to “*” and expanded the list of IP addresses subject to blocking. The change has blocked most of the Tor project subdomains, including,, and There remains hosted in the Discourse framework. Partially accessible are and, to which access was initially lost, but then was restored, probably after changing IP addresses (gitlab is now directed to the host

Tor Browser 11.0.2 released. Tor site blocking extension. Possible attacks on Tor

Additionally, we can note the publication of a new report on possible attempts to carry out attacks to deanonymize Tor users associated with the KAX17 group, which is allocated by a specific fake contact email in the node parameters. During September and October, the Tor project blocked 570 potentially malicious nodes. At its peak, the KAX17 group managed to bring the number of controlled nodes in the Tor network to 900 hosted by 50 different providers, which corresponds to about 14% of the total number of relays (for comparison, in 2014 the attackers managed to gain control over almost half of the Tor relays, and in 2020 over 23.95% of egress nodes).

Placing a large number of nodes controlled by one operator allows users to deanonymize using a Sybil-class attack, which can be carried out if attackers have control over the first and last nodes in the anonymization chain. The first node in the Tor chain knows the user’s IP address, and the last one knows the IP address of the requested resource, which makes it possible to deanonymize the request by adding a certain hidden label on the side of the input node to the packet headers that remain unchanged throughout the entire anonymization chain, and analyzing this label for side of the exit node. With controlled exit nodes, attackers can also make changes to unencrypted traffic, such as removing redirects to HTTPS variants of sites and intercepting unencrypted content.

According to representatives of the Tor network, most of the nodes removed in the fall were used only as intermediate nodes, not used to process incoming and outgoing requests. Some researchers note that the nodes belonged to all categories and the probability of hitting the entrance node controlled by the KAX17 group was 16%, and at the exit – 5%. But even if this is the case, the overall probability of a user hitting simultaneously the input and output nodes of a group of 900 nodes controlled by KAX17 is estimated at 0.8%. There is no direct evidence that KAX17 nodes are used to carry out attacks, but such attacks are not ruled out.

Write A Comment