The developers at the Tor Project are warning users about a serious flaw in Firefox that’s included the latest version of the Tor Browser Bundle that could enable an attacker to gather information about the servers a victim is using, poking a hole in the privacy and anonymity that Tor is designed to provide.
The problem lies in the way that the Firefox makes DNS requests. When a user is using Tor, the browser should make DNS requests through the software’s anonymity network and not through the regular Internet. However, Firefox does the opposite when users also have WebSockets enabled in the browser.
“A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux),” Tor said in its advisory to users.
The Tor Project is working on a fix for the vulnerability, but there isn’t one available yet. The Tor developers recommend that users in the interim go in and disable WebSockets altogether. You can do that through these steps, Tor said:
- Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
- Type “websocket” (again, without the quotes) into the search bar that appears below “about:config”.
- Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.
Tor is designed to protect users’ anonymity on the Internet by encrypting their traffic and sending it through a network of servers
before sending it to the ultimate destination. The software is used widely by reporters, dissidents and others who have a need to protect their identity or location or need to reach sites that may be blocked by their government or ISP.