Opened 7 years ago

Closed 3 years ago

#6735 closed defect (duplicate)

TBB-Firefox leaks the OS and kernel version to Mozilla update servers

Reported by: rransom Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, interview, tbb-firefox-patch
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

‘echelon’ also reports that TBB-Firefox sends the OS and kernel version when he/she/it opens the ‘About TorBrowser’ dialog:

2012-08-30 01:56:53 <echelon> https://aus3.mozilla.org/update/3/Firefox/10.0.5/20120608001639/Linux_x86-gcc3/en-US/default/Linux%202.6.37.6-smp%20(GTK%202.24.4)/default/default/update.xml?force=1

(It probably shouldn't be connecting to that server at all, because an update package containing an unpatched Firefox would make TBB completely unsafe.)

Child Tickets

Change History (11)

comment:1 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:2 Changed 7 years ago by mikeperry

Keywords: tbb-fingerprinting added

If this is indeed the current OS kernel rather than the build machine kernel, this information might be sufficient for Mozilla to be coerced to mount targeted attacks against certain Tor users. It might also be sufficient to fingerprint the number of bytes on the wire at the exit node, should an update request happen to be concurrent with other traffic.

Hard to say that this scenario is worse than the other 14 other fingerprinting bugs we needed to fix yesterday. I think it's probably not, but I'll tag it as tbb-fingerprinting anyway.

comment:3 in reply to:  2 Changed 7 years ago by cypherpunks

Replying to mikeperry:

If this is indeed the current OS kernel rather than the build machine kerne

Kernel version is indeed user's platform specific string.

But I can't trigger it till I press 'update' button in the ‘About TorBrowser’ dialog.

comment:4 Changed 7 years ago by gk

I think a good solution would be to compile the Tor Browser with --disable-updater. This way you would a) solve this problem b) not make the user believe there is already an updater available c) get a smaller Tor Browser with a smaller attack surface.

comment:5 Changed 6 years ago by mikeperry

Keywords: interview added

comment:6 Changed 6 years ago by gk

Cc: gk added; g.koppen@… removed

comment:7 Changed 5 years ago by erinn

Keywords: tbb-firefox-patch added

comment:8 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:9 Changed 4 years ago by cypherpunks

Is this still happening in the latest version?

comment:10 Changed 3 years ago by arma

Severity: Normal

A good triage question.

I would hope that now that Tor Browser is *using* the update feature, it's not sending anything to mozilla at all.

And also I would hope that whoever made the updater work also thought through the fingerprinting questions.

comment:11 Changed 3 years ago by mcs

Resolution: duplicate
Status: newclosed

I think this ticket is a duplicate of #13047, which was fixed a long time ago.

Note: See TracTickets for help on using tickets.