Tor Browser 11.0.2, a dedicated browser focused on anonymity, security and privacy, has been released. When using Tor Browser, all traffic is redirected only through the Tor network, and it is impossible to access directly through the regular network connection of the current system, which does not allow tracking the user's real IP address blocking possible leaks, you should use products such as Whonix). Tor Browser builds are prepared for Linux, Windows and macOS.
For additional security, Tor Browser includes the HTTPS Everywhere add-on, which allows you to use traffic encryption on all sites where possible. To mitigate the threat of JavaScript attacks and plugin blocking by default, the NoScript add-on is included. Alternative transports are used to combat blocking and traffic inspection. To protect against highlighting visitor-specific features, the WebGL, WebGL2, WebAudio, Social, SpeechSynthesis, Touch, AudioContext, HTMLMediaElement, Mediastream, Canvas, SharedWorker, WebAudio, Permissions, MediaDevices.enumerateDevices, and screen.orientation APIs are disabled or restricted, and disabled telemetry sender, Pocket, Reader View, HTTP Alternative-Services, MozTCPSocket, "link rel=preconnect", modified libmdns.
The new version is synchronized with the codebase of the Firefox 91.4.0 release, which fixes 15 vulnerabilities, of which 10 are marked as dangerous. 7 vulnerabilities are caused by memory problems, such as buffer overflows and access to already freed memory areas, and could potentially lead to the execution of malicious code when opening specially designed pages. Some ttf fonts were excluded from the assembly for the Linux platform, the use of which led to a violation of the rendering of text in interface elements in Fedora Linux. Disabled the "network.proxy.allow_bypass" setting, which controls the activity of protection against incorrect use of the Proxy API in add-ons. For the obfs4 transport, the new gateway "deusexmachina" is enabled by default.
Meanwhile, the story continues with the blocking of Tor in the Russian Federation. Roskomnadzor changed the mask of blocked domains in the registry of banned sites from "www.torproject.org" to "*.torproject.org" and expanded the list of IP addresses to be blocked. The change blocked most subdomains of the Tor project, including blog.torproject.org, gettor.torproject.org, and support.torproject.org. Forum.torproject.net remains available, hosted in the Discourse infrastructure. Partially available are gitlab.torproject.org and lists.torproject.org, to which access was initially lost, but then was restored, probably after changing IP addresses (gitlab is now directed to the host gitlab-02.torproject.org).
At the same time, blocking of gateways and nodes of the Tor network, as well as the ajax.aspnetcdn.com host (Microsoft CDN) used in the meek-asure transport, was no longer noted. Apparently, the experiments with blocking the nodes of the Tor network after the blocking of the Tor site stopped. A difficult situation is developing with the tor.eff.org mirror, which continues to work. The fact is that the tor.eff.org mirror is tied to the same IP address that is used for the eff.org domain of the EFF (Electronic Frontier Foundation), so blocking tor.eff.org will lead to partial blocking of the site of a well-known human rights organization.
Additionally, we can note the publication of a new report on possible attempts to carry out attacks to deanonymize Tor users associated with the KAX17 group, identified by specific fictitious contact emails in the parameters of nodes. During September and October, 570 potentially malicious nodes were blocked by the Tor project. At its peak, the KAX17 group managed to bring the number of controlled nodes in the Tor network to 900 hosted by 50 different providers, which corresponds to about 14% of the total number of relays (for comparison, in 2014 attackers managed to gain control of almost half of the Tor relays, and in 2020 over 23.95% of exit nodes).
Placing a large number of nodes controlled by a single operator makes it possible to deanonymize users using a Sybil class attack, which can be carried out if attackers have control over the first and last nodes in the anonymization chain. The first node in the Tor chain knows the user's IP address, and the last one knows the IP address of the requested resource, which makes it possible to deanonymize the request by adding a certain hidden label to the packet headers on the side of the input node, which remain unchanged throughout the anonymization chain, and analyzing this label on side of the exit node. With controlled exit nodes, attackers can also make changes to unencrypted traffic, such as removing redirects to HTTPS variants of sites and intercepting unencrypted content.
According to representatives of the Tor network, most of the nodes removed in the fall were used only as intermediate nodes, not used to process incoming and outgoing requests. Some researchers note that the nodes belonged to all categories and the probability of getting to the input node controlled by the KAX17 group was 16%, and to the output node - 5%. But even if this is true, then the overall probability of a user hitting both the input and output nodes of a group of 900 nodes controlled by KAX17 is estimated at 0.8%. There is no direct evidence of the use of KAX17 nodes to carry out attacks, but potentially such attacks are not ruled out.
Source: opennet.ru