Posted on Thursday, August 08 2013 @ 11:12 CEST by Thomas De Maesschalck
In a security advisory on its website, Tor advises users to switch away from Windows to ensure anonimity. The advice comes after the discovery of a vulnerability in Firefox that enables hackers (and government agencies) to discover identifying information about Tor users. Full details can be read
over here.
WHAT TO DO:
First, be sure you're running a recent enough Tor Browser Bundle. That
should keep you safe from this attack.
Second, be sure to keep up-to-date in the future. Tor Browser Bundle
automatically checks whether it's out of date, and notifies you on its
homepage when you need to upgrade. Recent versions also add a flashing
exclamation point over the Tor onion icon. We also post about new
versions on the Tor blog: https://blog.torproject.org/
Third, realize that this wasn't the first Firefox vulnerability, nor
will it be the last [10]. Consider disabling JavaScript (click the blue
"S" beside the green onion, and select "Forbid Scripts Globally").
Disabling JavaScript will reduce your vulnerability to other attacks
like this one, but disabling JavaScript will make some websites not work
like you expect. A future version of Tor Browser Bundle will have an
easier interface for letting you configure your JavaScript settings [11].
You might also like Request Policy [12]. And you might want to randomize
your MAC address, install various firewalls, etc.
Fourth, consider switching to a "live system" approach like Tails [13].
Really, switching away from Windows is probably a good security move
for many reasons.
And finally, be aware that many other vectors remain for vulnerabilities
in Firefox. JavaScript is one big vector for attack, but many other
big vectors exist, like css, svg, xml, the renderer, etc. We need
help improving usability of (and doing more security analysis of)
better sandboxing approaches [14] as well as VM-based approaches like
Whonix [15] and WiNoN [16]. Please help!
