Oct 27, 2023 at 3:53 PM

Tor Browser passes security audit by Cure53, revealing two high-severity issues

The Tor Project has recently commissioned Cure53, a German cybersecurity firm, to conduct a security audit of the Tor Browser and other censorship circumvention tools. The objective of this audit was to ensure the resilience of these technologies against potential threats and attacks.

The audit involved a series of penetration tests and code audits, focusing particularly on the methods users use to connect to bridges in the Tor Browser. Other tools audited include OONI Probe, rdsys, BridgeDB, and Conjure.

Despite the broad scope of the audit, Cure53 found a relatively low number of issues. The auditors praised Tor for its “admirably robust and hardened security posture and sound design decisions”, concluding that the audited components are healthy from a security perspective.

The audit did reveal some vulnerabilities and weaknesses, including a few high-severity issues. In response, Cure53 provided a set of recommended fixes and guidance for further hardening. The Tor Browser received a satisfactory rating overall, being deemed “sufficiently robust and hardened against a multitude of common threats and attack vectors”.

Most of the key findings were either related to vulnerable code snippets or did not offer an easy exploitation method. However, two high-severity issues were identified and have since been mitigated by the Tor Project, following the recommendations from Cure53's assessment.

Oct 27, 2023 by Paul

sandadriel found this interesting

MORE ABOUT: #Web Browsers #Tor Browser

Tor Browser

1035

Web Browser
Free • Open Source

Tor Browser is a web browser designed with an emphasis on privacy, online anonymity, and anti-censorship. It operates by routing communications through a network of volunteer-run relays worldwide to obscure user activity. This prevents third parties from tracking visited sites or the sites themselves from identifying the user. Top alternatives to Tor Browser include I2P, Orbot, and Mullvad Browser.

Related news

All news about Tor Browser »

External links

Putting Censorship Circumvention to the Test: Security Audit Findings
The Tor Project • Official source
Tor Browser Security Audit reveals 2 high security issues
gHacks
Cure53's Tor Browser Audit Validates Software's Robust Security
RestorePrivacy

Comments

Jason Brown

CommentOct 30, 2023

TOR technology not really the problem.

Bigger problems are a relatively tiny level of user uptake. hovering around the 2m mark for many years. Given exit nodes can be run by anyone, including NSA etc, those two million users must be among the most surveilled in the world.

Another problem is the lack of transparency around large blocks of TOR addresses - including links with a free, unlimited VPN run by the RiseUp network, a largely anonymous outfit run from the United States.

As can be seen from the following link, RiseUp hid official 2017 gag orders from their warrant canary for years. Rather than shutting down as other service providers have done, they kept users in the dark.

Biggest problem by far though is that TOR is largely based in, and subject to, US laws including national security orders.

TOR has no warrant canary. If life or death communications, use a VPN based outside of western and eastern jurisdiction eg Panama or Iceland.

https://www.cnet.com/tech/services-and-software/are-us-based-vpns-trustworthy-heres-why-i-dont-recommend-them/