[PLUG] tor browser

Vikas Tara vik at hamaralinux.org
Wed Aug 12 22:44:37 IST 2015


On 12/08/15 17:39, ThinRhino wrote:
> On 12-08 14:27, Vikas Tara wrote:
>> On 12/08/15 13:57, ThinRhino wrote:
>>>>> Yes it can make you anonymous, but there are also known flaws and weaknesses
>>>>> that can be exploited.
>>>>>
>>> Can you point to any links to news reports on browser exploits.
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1690
>> was apparently used for exactly this purpose.
>> https://community.rapid7.com/community/metasploit/blog/2013/08/07/heres-that-fbi-firefox-exploit-for-you-cve-2013-1690
> Basically it was a Firefox bug, which was exploited! Also the bug was for FF
> 17.x and we are on FF 40.x today!
>
>
Sorry - I should have been a bit more clear. The issue that I would like 
to highlight is that
the browser bundle is dependant on components and any one of them could 
be open to
exploit.

Firefox ESR is one possibility - and as shown - has potentially already 
been used for defeating tor. I agree this
was some time ago, but it was the first example that I found.

Being on 17.x or 40.x doesn't mean that there couldn't be an exploit, 
know to someone, that could compromise anonymity.

I guess people should know what the risks are and make their choices 
with that knowledge.





More information about the plug-mail mailing list