The University Strikes Back with de Tor!
While the US government is trying to bring into law and into book everything that allows it to get into peoples private lives through the Internet, the spooks at an American University have decided to do exactly the opposite.
These researchers have come out with a paper describing what an address space layout randomisation (ASLR) -esque technique called Selfrando: Securing the Tor Browser against De-anonymisation Exploits [PDF] which it believes will frustrate efforts by government agencies to de-anonymise the Internet.
The researchers aim to improve on the current ASLR techniques used by present browsers such as Firefox. Additionally claim the researchers, “Selfrando can be combined with integrity techniques such as execute-only memory to further secure the Tor Browser and virtually any other C/C++ application.”
The research team at the University of California has nine members; Mauro Conti; Stephen Crane; Tommaso Frassetto; Andrei Homescu; Georg Koppen; Per Larsen; Christopher Liebchen; Mike Perry, and Ahmad-Reza Sadeghi.
It may be noted that in 2013, the FBI used an exploit to de-anonymise uses by compromising Tor hidden services servers. The exploit made use of an use-after-free vulnerability in Firefox to gain arbitrary code execution and then collected the MAC address and the host name from the victim machine and then transfer this data to a server bypassing Tor. The data also connected a specific user by using a unique ID to track their surfing habits.
The team also plans to strengthen the local storage support which will be operating system specific. Currently Tor relies on Firefox’s default heap allocator jemalloc for this feature. The effort is receiving support for this from the Tor development team as well.
This is good news for all those who believe in anonymity and privacy of the Internet. However a word of caution for those using Tor to avoid getting entrapped by the FBI:
- Don’t be the only person using Tor on a monitored network at a given time. Example: Don’t go to a hotel and connect from Tor. This will make it obvious and guarantee an arrest. Connect to a VPN first.
- Use a bridge.
- Don’t use Tor to log on to a darknet forum and then use Gmail or some other mainstream website.
- Never download anything through tor browser.