ADVERTISEMENT

Latest Brave browser update fixes Tor .onion DNS Leak

The makers of the Brave browser have released Brave 1.20.110 to the stable channel. The new version addresses a serious privacy issue in the browser, a crash issue on Linux, and upgrades the core of the browser to a newer Chromium version.

Brave browser has built-in functionality to access .onion sites using Tor. The feature was introduced in June 2018 and has been an option ever since. Designed to improve privacy by routing the connection through a series of hops along the way, it is an option to improve anonymity by keeping information secret from the target and network listeners.

All that is needed to activate Tor mode in Brave is to use the shortcut Alt-Shift-N, or to select Menu > New private window with Tor.

brave browser tor mode

ADVERTISEMENT

The implementation in Brave is not designed to be a full replacement for Tor Browser. The company notes on its support page that its browser "does not implement most of the privacy protections from Tor Browser" and that it "recommends using Tor Browser instead of Brave Tor windows" for "absolute anonymity".

One user discovered last week that Brave was leaking information in Tor mode. The user suggested that Brave Browser was leaking the address of sites visited in the mode and the IP of the requester. Brave attempted to resolve .onion domains through traditional DNS look-ups, something that should not happen according to the user.

The new update addresses the privacy issue. Brave engineers fixed the issue so that the information is no longer leaked when the browser's Tor mode is being used.

The company's recommendation to use Tor Browser for full anonymity still stands.

Brave users can verify the installed version of the web browser by loading brave://settings/help directly, or by selecting Menu > About Brave.

The page that opens displays the installed version and will run a check for updates. Any new version that is found will be downloaded and installed automatically.

Brave1.20.110 fixes a crash issue on Linux that occurred when opening .onion links in "certain cases". The core of the browser is updated to Chromium 88.0.4324.192 next to that.

Now You: have you used Tor mode in Brave? Would you?

Summary
Latest Brave browser update fixes Tor .onion DNS Leak
Article Name
Latest Brave browser update fixes Tor .onion DNS Leak
Description
The makers of the Brave browser have released Brave 1.20.110 to the stable channel, which fixes a DNS leak when accessing .onion sites in the browser.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. m3city said on February 25, 2021 at 8:45 am
    Reply

    Well, well, well, that’s an “Irony” here… Brave with privacy issues?
    Why on earth would they try to implement sth that rose around Firefox?! Did not know that. A nice feature I must say.

    1. Iron Heart said on February 25, 2021 at 6:16 pm
      Reply

      @m3city

      Unintentional bugs like this one here may lead to privacy issues. The Brave team is sorry about that as expressed on their GitHub and has already resolved the issue, look it up my man. Firefox (of which you are a major proponent) also had all sorts of unintentional leaks in the past, but I never see you talking about that, huh? Anyway, moving on…

      The “Tor window” feature in Brave is more or less a gimmick, it can help you to anonymize your IP address but lacks the common fingerprint of the Tor Browser Bundle, which is why it cannot and should not be considered a Tor replacement. They even state that in their wiki, so again: Look it up. When one knows what to expect from it, it can be useful. Don’t know what you want to tell us here (probably just bashing Brave for no reason, by the looks of it).

      1. Iron Cringe said on February 25, 2021 at 9:36 pm
        Reply

        If this was a Firefox issue, you’d be shitting all over it but, since its Brave, “The Brave team is sorry about that as expressed on their GitHub and has already resolved the issue” is the only thing you have to say.

        Nice one. Very insightful as your regular comments detailing every single flaw Firefox has/had.

      2. Iron Heart said on February 26, 2021 at 12:24 am
        Reply

        @”Iron Cringe” (you shouldn’t mistreat other’s nicks, seriously – this is unasked for)

        I don’t see the point of riding an issue that is already resolved to death – do you see a point in that? I don’t do that for Firefox, either. I mean talking about issues that were already resolved, this would be idiotic. Intentional breaches of trust are another scenario, but this isn’t one.

        The “flaws” I detail regards to Firefox concern such deliberate breaches of trust, or problems of Firefox that are very hard to resolve and have been left rotting for years (like lack of both sandboxing and proper site isolation). If you compare that to a simple fix of Brave, the type of simple fix which they introduce daily because no software is bug-free, then I can’t help you. It’s not the same thing, and I am therefore not treating it as the same thing.

        If there were any serious and deliberate privacy issues of Brave and / or a visible lack of care on part of the Brave team, then rest assured, I would talk about it and call it out (after having switched browsers in response, lol).

    2. Anonymous said on February 25, 2021 at 6:53 pm
      Reply

      @m3city

      Brave had a bug that took them a whole week to fix!!!!! Therefore, I’m using the insecure Firefox.

      1. Anonymous said on February 26, 2021 at 9:35 am
        Reply

        > Brave had a bug that took them a whole week to fix!!!!! Therefore, I’m using the insecure Firefox.

        at least be factual about it. reported January 12 – https://github.com/brave/brave-browser/issues/13527
        how is Firefox insecure? – https://old.reddit.com/r/firefox/comments/lbu6q2/why_do_people_say_chromiums_sandbox_is_better/glxjrjg/

      2. finoderi said on February 27, 2021 at 3:42 pm
        Reply

        @Anonymous And since then some Mozilla employee became an expert in security?

    3. binocry said on February 25, 2021 at 10:34 pm
      Reply

      Tell me software without bug. I’ll wait

      1. gronk said on March 4, 2021 at 6:07 am
        Reply

        I hope more people will see what a piece of crap this feature clearly is
        https://old.reddit.com/r/privacy/comments/lx9c78/brave_tor_tabs_leak_your_timezonecountry_via_tor/

  2. owl said on February 25, 2021 at 10:49 am
    Reply

    I have supported “Brave” from the beginning of its development.
    For that reason, I continued to provide test support for various builds.
    However, as I switched to a digital detox lifestyle, I am now using Firefox ESR as our primary browser and choosing it for practical purposes.
    At the system level, “NordVPN & Adguard for Windows & simplewall & W10Privacy & Sandboxie+” is a countermeasure, and I think it is sufficient.

    Now You: have you used Tor mode in Brave? Would you?
    > The company notes on its support page that its browser “does not implement most of the privacy protections from Tor Browser” and that it “recommends using Tor Browser instead of Brave Tor windows” for “absolute anonymity”.

    No. I don’t use it now or in the past. Probably too from now on.

  3. hank said on February 25, 2021 at 11:29 am
    Reply

    brave is a shady advertising company. privacy is a second hand afterthought they like to hide behind. what a piece of shit browser anyway

    1. Anonymous said on February 25, 2021 at 1:38 pm
      Reply

      But why is it shady/shit browser? The code of the internals is open on GitHub: https://github.com/brave/brave-browser , you can recheck anything the browser does. Can’t say same about Chrome and the advertising company called Google :)

      1. Anonymous said on February 25, 2021 at 11:02 pm
        Reply

        “But why is it shady/shit browser? The code of the internals is open on GitHut”

        Open source is compatible with being malware nowadays. Sadly.

        “Can’t say same about Chrome”

        I heard that before. Chrome is evil, so we are entitled to be too as long as we don’t reach the trillion dollar threshold.

      2. Iron Heart said on February 26, 2021 at 8:50 am
        Reply

        @Anonymous

        If Brave were “malware”, I am sure you could prove it somehow. Where is your proof?

      3. Anonymous said on March 3, 2021 at 9:26 pm
        Reply

        > But why is it shady/shit browser? The code of the internals is open

        Fallacy: being open source does not preclude shadyness or shityness

        Brave is literally a privacy invading tech giant. Its an advertisement platform rebranded poorly as a privacy browser. Its literally just chromium plus a shitty adblocker that whitelists a ton of trackers. It contains a crapload of telemetry you cant turn off that it sends back to brave and even has an API call to let servers know you are using brave. People who fall for brave are technically illiterate and are victims of how brave is advertised

    2. T J said on February 25, 2021 at 1:48 pm
      Reply

      @ hank

      Now you have done it !!!

      ghacks will now receive a 50 page comment from a certain party explaining that Brave is still better than Firefox despite this cockup. :))
      The comment will, of course, have multiple links to myriad sites so that we can be “educated” about FF failings.

      1. Iron Heart said on February 25, 2021 at 6:10 pm
        Reply

        @T J

        You don’t know me very well, lol. Instead of writing a “50 page comment”, it will suffice to say that bugs happen, in all software products. The bug described in the article here was unintentional and was fixed very quickly after being initially reported to the Brave team:

        https://github.com/brave/brave-browser/issues/14261

        When I criticize Firefox, I never criticize unintentional bugs (which Firefox does have, just like Brave), but rather intentional mistreatment of users and / or laxity and lack of care when it comes to resolve certain issues. You are extremely unfair to characterize me in this way, I hope you know that.

        @hank

        Your post is hardly worth commenting on, since it shows hatred for the product without providing any kind of source for your claims. As for “shady”, Brave is much less shady than most other companies in that business, including Mozilla. If you trust entities like Opera ASA, Google, Microsoft and also Mozilla over them, then I can’t help you. The track record should prove who is right and who is wrong here.

      2. Anonymous said on February 25, 2021 at 11:10 pm
        Reply

        “ghacks will now receive a 50 page comment from a certain party explaining that Brave is still better than Firefox despite this cockup. :))”

        And then 50 page comment from the certain other twin party explaining that Firefox is still better than Brave, while both were founded by the same adtech sponsored asshole and both are the same blatant adware experimenting on how far limits of user gullibility can be pushed.

        An interesting analogy for all of US politics.

    3. FanboyNZ said on February 25, 2021 at 1:52 pm
      Reply

      Brave has a different model for funding a browser, doesn’t make it “Shady”.

      /Disclaimer, Brave employee

      1. ShintoPlasm said on February 25, 2021 at 3:13 pm
        Reply

        @FanboyNZ:

        Hi Ryan, thanks for all your contributions and efforts over the years. A legend of adblocking! :)

      2. Anonymous said on February 25, 2021 at 11:13 pm
        Reply

        “Brave has a different model for funding a browser, doesn’t make it “Shady”.”

        Brave is paid by monetizing browsing behavior for advertisers (and search deals), that’s 100% shady. And that’s not “different” either, Firefox and Chrome do the same thing.

        You humiliated yourself enough as the maintainer of the main ad and tracker blocking list by selling out to an adware company. Please don’t add to that by publicly defending them.

      3. Iron Heart said on February 26, 2021 at 8:56 am
        Reply

        @Anonymous

        > Brave is paid by monetizing browsing behavior for advertisers (and search deals), that’s 100% shady.

        Brave is not selling details about your browsing history to advertisers. This is not how Brave Rewards work, inform yourself, and start here:

        https://brave.com/intro-to-brave-ads/

      4. Anonymous said on March 4, 2021 at 8:51 am
        Reply

        > Brave is not selling details about your browsing history to advertisers

        Brave IS the advertiser. They are an advertising platform backed by venture capitalists.

    4. ShintoPlasm said on February 25, 2021 at 3:16 pm
      Reply

      @hank:

      With all due respect, Brave’s advertising concept is quite straightforward. I don’t understand what makes you think it’s shady: Brave’s devs are some of the most respectable coders in the business, the code is open-source and entirely above-ground. And privacy seems to be far more than an afterthought, if you’d care to go through their blogs and Github.

    5. Alex said on February 25, 2021 at 4:14 pm
      Reply

      @hank

      Well, that is just factually untrue. The code is all there for you to look at.
      I’d rather use Brave that is open source, unlike Chrome.
      I’d also rather use Brave, that is for free speech instead of Firefox, where its head honchos are openly against free speech of what they consider to be “misinformation”.
      Imagine calling Brave “shady” while FF calls itself the bastion of “free internet” while at the same time calling for more censorship of opinions they don’t like. I’m sure you and T J agree with this type of censorship which is why it probably doesn’t bother any of you. You might actually like it.
      That alone should be enough to discard FF completely.
      What other options do we have? Vivaldi? I like it. I just don’t like the “unique ID” thing going on so that’s why it’s not my primary browser.

      The day something factually comes to light about anything “shady” I’ll be the first to call it out when it comes to Brave. As for now, It’s my browser of choice.

      1. Allwynd said on February 26, 2021 at 11:22 am
        Reply

        LOL you fellas still measuring your e-peens?

    6. Anonymous said on February 25, 2021 at 6:49 pm
      Reply

      @hank
      Alex is right, all I hope is you are not calling Brave shady and then use and love Mozilla products, the company that openly embrace censorship and deplatforming for people while talking about “free internet for all” and how we should join them to protect the so important asset, they are so hypocritical and worst than any other ‘big’ browser developer today.

      Also, you don’t even need to use rewards, shady would be if they forced you into their ad system with no way to optout, actually, Brave ads/rewards system is opt-in, so it is people’s choice to try Brave’s new model, Brave put it there and people chose to use it, some people even bought a sandwich in subway just by browsing and clicking Brave ads notifications, so it works.

      For whatever reason you are hating on Brave, I am sure it is not because of the brave rewards and it is not because supposedly in your mind other browsers are better, but it is not normal.

    7. binocry said on February 25, 2021 at 10:32 pm
      Reply

      Yeah dude is better off receiving 90% of his income from google like Failzilla than trying to make money independently. Not shady at all!

  4. Alex said on February 25, 2021 at 4:16 pm
    Reply

    @hank

    Well, that is just factually untrue. The code is all there for you to look at.
    I’d rather use Brave that is open source, unlike Chrome.
    I’d also rather use Brave, that is for free speech instead of Firefox, where its head honchos are openly against free speech of what they consider to be “misinformation”.
    Imagine calling Brave “shady” while FF calls itself the bastion of “free internet” while at the same time calling for more censorship of opinions they don’t like. I’m sure you and T J agree with this type of censorship which is why it probably doesn’t bother any of you. You might actually like it.
    That alone should be enough to discard FF completely.
    What other options do we have? Vivaldi? I like it. I just don’t like the “unique ID” thing going on so that’s why it’s not my primary browser.

    The day something factually comes to light about anything “shady” I’ll be the first to call it out when it comes to Brave. As for now, It’s my browser of choice.

  5. finoderi said on February 25, 2021 at 4:32 pm
    Reply

    I use private window with Tor to occasionally read NYT articles. Because screw them, lol.
    For actual privacy I have a wireguard VPN configured using Upcloud VPS. Great VPS provider btw.

  6. Anonymous said on February 25, 2021 at 5:16 pm
    Reply

    I think those are basically growing pains. While it should not happen, no one should use Brave for protection against state-level actors.

    The scope of the Brave Browser project is too broad though, so they are making lots of mistakes – at the same time, the scope needs to be broad, otherwise there would be no usecase.

    So in order to fight Google and Microsoft, brave needs to move fast an break things. They managed to get 25 million users from nothing, once they are at 100 million they can probably invest into the manpower needed to create a real browser instead of a chromium skin.

    1. Anonymous said on February 25, 2021 at 11:15 pm
      Reply

      “So in order to fight Google and Microsoft, brave needs to move fast an break things.”

      They are not fighting Google and Microsoft. They are doing like them, spying on users for advertisers.

      1. Iron Heart said on February 26, 2021 at 8:26 am
        Reply

        @Anonymous

        > They are not fighting Google and Microsoft. They are doing like them, spying on users for advertisers.

        Proof? Brave is one of the most privacy-respecting browsers in existence.

    2. Iron Heart said on February 26, 2021 at 12:16 am
      Reply

      @Anonymous

      I agree with everything you said (except that I believe that due diligence can’t be downplayed by the need to grow, really), however, this does not make much sense to me:

      > They managed to get 25 million users from nothing, once they are at 100 million they can probably invest into the manpower needed to create a real browser instead of a chromium skin.

      I think moving away from Chromium upstream would be a monumentally bad idea. By building on Chromium, they ensure that Brave is compatible with all websites with which the dominant force in the market (Google Chrome) is compatible. When you make your own engine, either by forking Blink or by starting anew (very unlikely considering the complexity of today’s engines), you lose that benefit. Web devs will ignore you and won’t make their websites compatible with you until you reach a certain size, and you don’t reach that size by breaking compatibility with websites (compatibility they otherwise automatically have by virtue of being based on Chromium, as said). They could give it a shot if they had, say, 20% market share, but even then, I don’t see the benefit. The only scenario where something like this would make sense is the one in which Google introduces an irreversible, deep-rooted change in Chromium that goes against their (Brave Software’s) goals as a company, i.e. a scenario in which they are forced to fork Chromium. Now, a large and complex codebase, such as the one of Chromium, is not a battleground. Introducing such a change just to piss off Brave has implications for Google as well, especially if it is a deep-rooted architectural change, and would only make sense if there is some major benefit to them, a benefit that exceeds angering Brave Software (which in itself is not a real goal). Forking Chromium would also have implications for Brave’s current user base, because Brave might lose important features like full Chromium extension compatibility – depending on where exactly in the code the non-reversible change takes place and how hard it would be for them to still incorporate other upstream changes after a theoretical forking point.

      In terms of strategy, choosing Chromium was the only sane choice. It gives them great web compatibility out of the box, reduces their workload (developing their own engine would be extreme amounts of work), and grants them a vibrant extension ecosystem for free. Plus, they can still introduce whatever change they see fit because Chromium is open source. Gecko will die along with Firefox (small scale offshoots like Pale Moon aside), and is irrelevant even today – not a good long term plan. They could have picked WebKit, but the disadvantage here would have been a lack of extensions (Safari extensions – already a small lot – are not directly compatible with other WebKit-based browsers such as Epiphany, Brave would face the same problem). Hard-forking Chromium, as said above, IMHO should only take place when there really is no way around it.

      You can read here about the early history of Brave and some of the basic decisions, e.g. why Chromium was picked in the end, in case you are interested (Brian Bondy is the co-founder of the project):

      https://brianbondy.com/blog/174/the-road-to-brave-10

      It was interesting to me that they actually had a Gecko-based (based on Firefox) prototype in the works which was eventually dropped in favor of a Muon base, and later Chromium.

  7. Anon7 said on February 25, 2021 at 9:29 pm
    Reply

    I think some people don’t like the brave browser because it has integrated ads built into it

    They say it is opt in, but why on earth would you need adverisement capability built in to a browser whether opt in or not?

    Ads and privacy usually do not go well together

    Look up this

    “Brave browser CEO apologizes for automatically adding affiliate links to cryptocurrency URLs”

    I think it would be better to offer at least a version of the Brave browser that does not contain any ad stuff built in

    Also having chromium as the engine is a turn off for some.

    That being said, using brave is a way more private than closed source chrome spy crap

    1. Iron Heart said on February 26, 2021 at 8:41 am
      Reply

      @Anon7

      > They say it is opt in, but why on earth would you need adverisement capability built in to a browser whether opt in or not?

      1) They are pioneering a new privacy-respecting model of advertising in which users earn part of the revenue. So users would have benefits when they enable it.

      2) It helps funding the company because they receive a commission whenever a user donates BAT to a content creator. Funding is important to them because they are not a big tech company for which browser development is a side project – the Brave devs need to eat.

      It’s opt-in, I don’t know why this is even brought to the table. Users who don’t like it don’t need to enable it, right?

      > Ads and privacy usually do not go well together

      I don’t have the time to explain how it works in detail, but in general: Brave downloads a non-personalized list of ads periodically, ads which only consist of the text and a hyperlink (so no tracking scripts involved), ads that later appear as system notifications – they aren’t being inserted into websites. A local algorithm picks fitting ads from the list based on your browsing, no kind of personal data is being transmitted to Brave Software or any third party in the process.

      So yes, privacy-friendly advertising is definitely possible.

      > Brave browser CEO apologizes for automatically adding affiliate links to cryptocurrency URLs

      *Yawn* This wouldn’t be a Brave article without this being brought up. What you criticize here was a legitimate means of funding – Brave and Binance are officially partners, for all to see. Going by the same logic, you would also have to criticize other browsers for their use of referrals whenever you perform a search, for example, you help Mozilla get $$$ from Google whenever you do a Google Search in FF and yes, a referral is involved there. The referral in Brave was also never a privacy issue, I have explained this in detail here:

      https://www.ghacks.net/2020/12/25/how-to-hide-the-tips-icons-that-brave-places-on-some-sites-automatically-as-part-of-its-rewards-system/#comment-4481424

      You can choose to be a hypocrite and bash Brave for using referrals while all other browsers also use them (in relation to searches at least) or you could inform yourself, the choice is yours.

      > Also having chromium as the engine is a turn off for some.

      ???

      Chromium offers superb web compatibility, security, and performance. Brave Software improves its privacy. Don’t know why that is considered bad. They have no intention to die a premature death as a project by basing their product on Firefox, a browser on its last legs. Reinventing the wheel is not viable either (too expensive and for no reason), so Chromium is the only viable choice.

    2. Anonymous said on February 26, 2021 at 10:42 am
      Reply

      > Brave browser CEO apologizes

      Not initially. He defended it. Only after more outcry did he apologize. His apology was a non-apology, instead he claimed it was a mistake. It wasn’t a mistake, it was planned and implemented for scalability and additional urls added. He also disingenuously compared typed urls to searches from the urlbar and claimed all browsers did it

      1. Iron Heart said on February 26, 2021 at 10:50 am
        Reply

        @Anonymous

        What should he apologize for? There was never a violation of user privacy involved. No damage to the user = no apology required. And yes, all browsers do that at least in relation to searches. That’s a FACT and only hypocrites who hate Brave could ignore that. If referrals are evil according to you, you could hardly use any browser.

      2. Anonymous said on February 26, 2021 at 11:29 am
        Reply

        “What should he apologize for?” – Ask him yourself. He DID apologize so clearly he felt he HAD to
        “There was never a violation of user privacy involved” – no one said there was

      3. Iron Heart said on February 26, 2021 at 2:32 pm
        Reply

        @Anonymous

        > He DID apologize so clearly he felt he HAD to

        Weak action of Eich, bowing to the shit storm of mostly Firefox users who never even used Brave. Weak, weak action. I guess he has to offer a gesture of good will when put under pressure for no rational reason at all. His initial reaction was the only correct one.

        > no one said there was

        Then why are you making mountains out of molehills? It’s not something any user who is not trying to harm the Brave project via shit storm would care about. Fact.

        Honestly: If those non-issues are all you’ve got, it only shows that the Brave project is fairly legit. Firefox had actual scandals that caused harm (e.g. hijacking new installations with the Cliqz spyware, via the FF experiments backdoor), but I don’t see anyone talking about that, and this just screams HYPOCRITE.

    3. Anonymous said on February 26, 2021 at 10:51 am
      Reply

      @Anon7 ,That is where the Dissenter browser comes in. It is basically a clone of Brave with the
      bat token thing taken out.They give it their own Gab branding look to it also.

      1. Iron Heart said on February 26, 2021 at 10:53 am
        Reply

        @Anonymous

        The Dissenter browser is outdated, failing to keep up with Brave development. Security nightmare.

      2. T J said on February 26, 2021 at 3:06 pm
        Reply

        @ Iron Heart

        You still need to write another 30 pages. :))

      3. Iron Heart said on February 26, 2021 at 5:13 pm
        Reply

        @T J

        Fanboy alarm.

        Don’t care.

  8. NoOneCares said on February 26, 2021 at 2:23 pm
    Reply

    All Browsers track users…that’s why they are FREE to use. They make money off you by tracking you on the internet. They all do it…there is no better privacy in mind browser out there. Anything else posted on here it’s just fanboyish.

  9. Anonymous said on February 26, 2021 at 4:44 pm
    Reply

    If you need Tor use the Tor browser, which is based on Firefox, not a half-assed implementation in Chromium.

    1. Iron Heart said on February 26, 2021 at 5:18 pm
      Reply

      @Anonymous

      Tor Browser Bundle is only based on Firefox because it was the only viable choice back when Tor Browser development started. No other reason. Tor inherits weak exploit mitigations from Firefox, and by the way, this is how most users of Tor get deanonymized – their sorry asses just get hacked and it’s not too hard considering that it’s Firefox.

      However, yes, one should use the Tor Browser when accessing the Tor network because Chromium browsers can’t produce a fingerprint pertaining to Gecko. Brave Software knows this hence why they mention it in their wiki. Tor will have to move to Chromium once Firefox is given up on by Mozilla, by the way.

      1. Anonymous said on February 26, 2021 at 8:00 pm
        Reply

        Iron Heart, please be kind and provide proof that tor user got “deanonymized” (I assume this means caught) due to software (Firefox) hacking.

      2. Anonymous said on February 28, 2021 at 9:40 pm
        Reply

        different Anonymous here. OK, I’ll fact check you. Your claim is unfounded, and you are talking a load of sensationalist made-up crap in order to make something else look bad (Why? Does it make brave’s bug look better? Or this just some attempt to shit on Firefox?)

        > “Tor inherits weak exploit mitigations from Firefox, and by the way, this is how most users of Tor get deanonymized”

        So far the best you can come up with is a single example almost 8 years ago, at least partially caused by opsec according to your link (failure to update his browser)

        Please provide actual proof that software exploits are how “most users of Tor get deanonymized” – repeat “most users”. The second link gave four examples of which only one was a software exploit (already patched at the time), the rest were all purely opsec.

        https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908
        – 4+ years old, no examples

        http://se.azinstall.net/2015/11/how-tor-users-got-caught.html
        – three of the four examples show no deanonymization due to software hacking
        – number three: This is CVE-2013-1690, fixed almost 8 years ago: the vulnerability had already been patched but the user was not up to date. here are some links
        https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/ fixed Jun 2013
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1690
        https://bugzilla.mozilla.org/show_bug.cgi?id=857883
        https://bugzilla.mozilla.org/show_bug.cgi?id=901365

        https://www.securityweek.com/tor-users-targeted-firefox-zero-day-exploit
        – 4+ yr old 0-day

        https://www.technologyreview.com/2020/02/08/349016/a-dark-web-tycoon-pleads-guilty-but-how-was-he-caught/
        – repeat of the third example mentioned above: also “officials won’t reveal if a vulnerability was used”

        https://thehackernews.com/2016/05/fbi-tor-firefox.html
        – has nothing to do with Tor Browser, but rather a relay early traffic confirmation attack

        https://twitter.com/tqbf/status/930807512609296384
        – this is the same the first reference: 4+ years old, a tweet from tqbf who wrote a blog

        https://twitter.com/tqbf/status/830511154950766595
        – this is the same the first reference: 4+ years old, a tweet from tqbf who wrote a blog

        Simply searching google for “Tor Firefox exploit caught” (sans quotes) will bring up all sorts (real, misleading, scaremongering, myths, lies) of bulk repetition (it gave me 475k results). This is no way to research or answer a question. Change the time to the past year, and I get four results
        – this page
        – a wiki entry on Freedom Hosting (which is about Marques: the one I gave all the links for for a zero-day in 2013)
        – a page about two Firefox bugs which leads to this: https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
        – this general article: https://nakedsecurity.sophos.com/2020/08/13/tor-and-anonymous-browsing-just-how-safe-is-it/

        If I leave out the word “firefox” so results are Tor Browser, I get slightly more results, but nothing new

        Has Tor Browser has critical zero-days in the past: yes
        Has it been used to deanonymize someone. Yes (at least Marques using an outdated Tor Browser back in 2013)
        Do all browsers have zero-days, including ones in the wild before being patched. Yes.

      3. Iron Heart said on March 1, 2021 at 9:18 am
        Reply

        @Anonymous No. 2 (you guys should pick another pseudonym really)

        Whenever someone says the magical words “fact check”, whatever follows is usually unfounded BS, and so it was here. Tor inherits weak exploit mitigations from Firefox:

        https://madaidans-insecurities.github.io/firefox-chromium.html

        It is a common sense assumption that exploits are the easiest and cheapest way to de-anonymize specific Tor users. Tor is built on the idea of everyone looking the same, and on the idea of hiding one’s origin at the network level. While de-anonymization on the network level is possible (e.g. timing / latency attacks), it is extremely resource-intensive compared to just luring Tor users on websites and doing some drive by attack. Once the local machine is infected – game over. As expressed in the Medium article, Tor is a high profile target because it is being used by various criminals, including the drug shadow business.

        Now, all I wanted to express here is that Tor doesn’t use Firefox as a base because of its superior security, but rather because of historical ties and difficulties stemming the workload of patching Chromium (with Google being uncooperative). There is no quality of Firefox that would make Tor use it except maybe Mozilla’s willingness to cooperate when issues arise.

        Your denial that security issues are being used against Tor users (Did you even deny that? If not, there is very little point to your reply…) implies a lack of common sense, because the alternative for authorities would then be extremely resource-intensive attacks at the network level, and nobody does this when it can be avoided. Authorities are interested in Tor vulnerabilities because (part of) its users are higher profile targets.

      4. Anonymous said on March 1, 2021 at 3:55 pm
        Reply

        @ Iron Heart

        Asked for proof (all but one was irrelevant) and then for more proof (none given), the best you can come up with is STILL just a single 8 year old example. The other critical bug was over 4 years ago (but no known cases).

        And just to spin it on it’s head: even if chromium had been used for Tor Browser, then we could just point at any number of critical zero-day free-after-use and other bugs in the wild from Chrome in the past and say “Tor exploit, deanonymization”. Nothing you ever say makes sense. All you do is spew garbage

        And you’re STILL spouting out of context nonsense: Just linking to madaidan and crying “but Firefox insecure” is a giant cop out and shows your ignorance. You have done this exact link and rant about 100 times on ghacks, and your assessment is bull shit: you’re trying to quantify the overall security of browsers which is complex and almost impossible to do, while at the same time ignoring all the layers. Amateur hour. My three year old could do better: although I do admit she is a very smart three year old.

        Here is a Moz engineer explaining
        https://old.reddit.com/r/firefox/comments/lbu6q2/why_do_people_say_chromiums_sandbox_is_better/glxjrjg/
        – quote: “How does that wash out in the end? It’s really hard to say and pretty much impossible to quantify.”

        That’s not to say that components cannot be individually improved to be “harder” (and the same can be said of chromium), e.g. madaidan. It also doesn’t mean the status quo isn’t already highly secure

        You need to look at the overall picture: those defence-in-depth layers
        – 9.8 to 12.3 % of relevant Firefox code is written in Rust – https://wiki.mozilla.org/Oxidation#Statistics. This is not insignificant, as also said by the Moz engineer in the above link
        – chrome are struggling with memory leaks in C++ (70% of their critical bugs) and have reached the end of process isolation, and are now turning to Rust
        – firefox’s Fission isn’t quite there yet, and that’s a major layer to add

        Firefox certainly lacked multi-process and other protections in the past. You can’t say the same today. Both engines can always do with more security: but to claim one is worse than the other, is pure ignorance.

        Android has it’s own set of issues but Fenix is a complete rewrite that can now move forward on some of these such as a sandbox: and Tor Browser now has an Android version. For sure this needs some work to get some parity.

      5. Anon7 said on March 1, 2021 at 8:53 pm
        Reply

        This is taken from the chromium projects blog

        https://blog.chromium.org/2019/11/intent-to-explain-demystifying-blink.html

        “Chromium is an open source project that’s being worked on by over 2000 engineers from ~55 different organizations. Of course, Google is responsible for the bulk of Chromium – 92% of commits to the project (data) come from Google, although about 20% of contributors are not Google-affiliated.”

        “With a project of this magnitude, each of the involved companies and contributors are naturally pushing their own slightly different agenda and priorities. Even within Google’s Chrome team there are multiple ways to prioritize which problems are most urgent to tackle and solve. One area that is consistent, is that we work with the ecosystem and developer partners to understand and address their needs. We do that by creating compatibility dashboards, collaborating with frameworks, and observing development patterns in the wild.”

        …………………..

        Working with google chromes team literally says it all, google are too influential in that project.

        A whopping 80% of contributors are google affiliated. 55 different organisations involved in the project? Only 20% of contributors non google affiliated?

        Of those 20% not affiliated with google, how much of them are affiliated with microsoft? google and microsoft collaborating with the chromium project? Look at the map of contributors on their blog.

        Having google affiliates behind the monolpoly engine that is chromium,,, should ring alarm bells on the direction it is going

        Gecko may not be perfect, but at least the code is mostly maintained by mozillas own employees.

        Ironhearts notions of tor developers working with google/chromium makes no sense at all. They are serious about privacy, unlike brave who just let their users down by not implementing their poorly configured tor windows correctly.

        If Brave were really concerned about privacy, they would have never adopted the chromium engine and implementing faux tor windows that were poorly configured and also messing around with ad blocking scripts that are hard to set right for googles pet project chromium.

        Brave are facing an uphill battle if they want privacy from chromium, google are too deep in it. They chose the wrong engine, they chose convenience over something more complex and more open to modifications like Gecko.

      6. Iron Heart said on March 2, 2021 at 12:16 am
        Reply

        @Anon7

        Your post is slipping into several fallacies and wrong assumptions:

        – That Google employees write significant portions of the Chromium code doesn’t mean that its privacy inevitably goes down the abyss. Brave (and other browsers like Bromite) maintain their own patch sets which they apply to Chromium for their respective browsers. It is true that rebasing on newer Chromium versions can break those patch sets, but a) it not always does and b) who are you to say that Brave employees can’t resolve breakage, do you think they are that stupid?

        – That Google writes the majority of Chromium code is a problem to you, but apparently it is no problem to you that Mozilla writes the majority of Firefox code. Do you implicitly assume that Mozilla has your interests at heart? What makes you think that? Are you even aware of the fact that Tor, as a separate project, has to resolve / eliminate some of the privacy issues caused by Mozilla? They face the same problems as Brave with the marginal difference that Mozilla is usually more cooperative.

        – That Mozilla is basically entirely Google-funded is not a problem for you? You seem to have a problem with Google meddling in other projects’ affairs, how about Mozilla?

        – You fail to understand that Brave’s Tor mode cannot exactly match the Tor Browser as long as Tor is not Chromium-based (this could change once Tor switches to Chromium), a Chromium-based browser like Brave will never produce Tor’s canonical fingerprint which currently relies on Gecko. In other words, Brave’s Tor window is a gimmick feature meant to hide your IP address, not more. Brave is even saying that you should use the Tor Browser if you are in a high risk situation where perfect anonymity is key. Brave is clearly meant to be used as an everyday browser, not as a Tor replacement.

        On a more general note: Gecko is on its last legs. Its market share is below 4% globally (mobile + desktop combined). Web devs are increasingly ignoring it, it can’t even run Skype Web and other major services anymore. Mozilla will either switch to Chromium or exit the browser market entirely, focusing even more on social and political activism than they already do. Tor will be switching to a Chromium base because they have no other viable choice. You are riding a dead horse here, cowboy. Don’t know why you get passive-aggressive over something that won’t exist anymore in a few years, and hasn’t been a strong competitor for at least a decade now.

      7. Anon7 said on March 2, 2021 at 5:01 pm
        Reply

        @Ironheart

        [IronHeart comment] – That Google employees write significant portions of the Chromium code doesn’t mean that its privacy inevitably goes down the abyss. Brave (and other browsers like Bromite) maintain their own patch sets which they apply to Chromium for their respective browsers. It is true that rebasing on newer Chromium versions can break those patch sets, but a) it not always does and b) who are you to say that Brave employees can’t resolve breakage, do you think they are that stupid?

        Google affilliated groups writing the code for chromium does make privacy go out the windows in subtle but meaningful ways.

        They take chromium in a direction that is detrimental for other browsers and extensions. They are trying to change websites compatibility with less popular browsers, thus destroying healthy competition and creating an abhorrent monopoly on browser software. Think manifest V3 or other crap they push.

        I never said Brave developers were stupid. I believe that by them using chromium as the base for Brave, it increases their workload by trying to clean up googles mess, and when that happens things start breaking, like their failed tor window.

        [IronHeart comment] – That Google writes the majority of Chromium code is a problem to you, but apparently it is no problem to you that Mozilla writes the majority of Firefox code. Do you implicitly assume that Mozilla has your interests at heart? What makes you think that? Are you even aware of the fact that Tor, as a separate project, has to resolve / eliminate some of the privacy issues caused by Mozilla? They face the same problems as Brave with the marginal difference that Mozilla is usually more cooperative.

        Mozilla is not google/chromium. What part of that can you not understand? they recieve funding from google, so? it still does not make them google, and at least it is not google messing with the actual code or making gecko a monopoly under their control like chromium.

        Google trying to swallow up mozilla is terrible, but you seem to welcome it.

        Comparing Mozilla to google is just really dumb btw. Google is trying to stick their nose in, but at least they are not balls deep into mozilla (as of yet) like they are with chromium.

        Since Mozilla/gecko are not google, they are automatically more trustworthy despite their flaws. Some of the privacy issues that are on a raw firefox install can easily be taken care of by hardening the browser. You make it out as if Firefox is not easy to harden. Even just changing the default search engine from google is +1 for privacy.

        An unhardened firefox phones home, so what? that can be turned off with hardening.

        Firefox is for power users.

        Brave is more a niche for folks trying to escape chrome and have privacy out of the box, the bat token also helps content creators. Brave deserves a place too. But instead of liking both firefox and brave, you would rather demote firefox from its status as a trusted web browser.

        You come off as fan-boyish rather than insightful.

        [Ironheart comment] – That Mozilla is basically entirely Google-funded is not a problem for you? You seem to have a problem with Google meddling in other projects’ affairs, how about Mozilla?

        I find it deplorable that Mozilla is recieving funding from the devil.

        However, as long as the code is not tampered with by google affiliated groups and google just providing funds for them to use their search engine as a default, then it is the lesser evil, than adopting their pet project chromium as a base for their browser imo.

        I am not a fanboy like you are, i can see flaws in both mozilla and google. I see mozilla as the best of a bad bunch though.

        [IronHeart comment] – You fail to understand that Brave’s Tor mode cannot exactly match the Tor Browser as long as Tor is not Chromium-based (this could change once Tor switches to Chromium),

        I would be curious to know of where tor says it has future plans to use chromium as a base?

        tor switching to chromium makes little to no sense, they are just going to dump gecko because chromium is more popular? I think that is wishful thinking on your part. gecko may be less popular but it still has a considerable share of the browser market despite google trying to be the greedy monstrosity that it is.

        [Ironheart comment] On a more general note: Gecko is on its last legs. Its market share is below 4% globally (mobile + desktop combined). Web devs are increasingly ignoring it, it can’t even run Skype Web and other major services anymore. Mozilla will either switch to Chromium or exit the browser market entirely, focusing even more on social and political activism than they already do. Tor will be switching to a Chromium base because they have no other viable choice. You are riding a dead horse here, cowboy. Don’t know why you get passive-aggressive over something that won’t exist anymore in a few years, and hasn’t been a strong competitor for at least a decade now.

        Gecko will always have its place, you wish it was gone, but it is not.

        Skype? there are better alternatives. There is more to technology than microsoft or google you know, you forget that smaller groups can be better.

        As for your thoughts on firefox becoming social justice warrior/liberal orientated? that is because their current ceo is a woman, women virtue signal a lot and sometimes haven’t a clue what they are talking about, she is a perfect example of that. I can see your point though on how it is bad for mozilla. People should not give up hope just yet though.

        I seriously doubt that her views would represent the views of the vast majority of the mozilla employees.

        It would be premature to crap on mozilla because of that snowflake ceo. As long as the code is safe, open source and away from the prying eyes of google, there will be life in the old dog yet.

        Mozilla exiting the browser market entirely? jesus christ man.

      8. Iron Heart said on March 1, 2021 at 11:55 pm
        Reply

        @Anonymous

        > the best you can come up with

        …would be pointing you to current Firefox (ESR) security issues, which are detailed here:

        https://www.mozilla.org/en-US/security/advisories/

        But then you would come up with the rather silly question: “Prove that those are actively exploited for Tor users etc.” and I am simply too tired for that kind of shit. Not every breach of security goes public, but Tor is unquestionably a high profile target, so the assumption that FF security issues are being used against it is reasonable, for it is a cheap way to de-anonymize specific users. Historical records are invalid to you, so no point in bringing up even newer incidents, all “historical”.

        > even if chromium had been used for Tor Browser, then we could just point at any number of critical zero-day free-after-use and other bugs in the wild from Chrome in the past and say “Tor exploit, deanonymization”.

        Dude, that’s not how it works. Security is more holistic than that. No software of the magnitude of Chromium or Firefox can be bug-free and thus offer “optimal” security. Simply not possible. What matters are anti-exploit mitigations, and current day security measures being introduced and refined. And Chromium is way ahead of Firefox there. Is it perfect because of that? Nope, “ahead of Firefox” does not mean “perfect”.

        > Just linking to madaidan and crying “but Firefox insecure” is a giant cop out and shows your ignorance.

        LOL, no it’s not. I point to madaidan again and again because of two factors:

        – He is a security expert and a member of the Whonix team (you know, the people developing the OS on which the lives of dissenters in authoritarian regimes depends), so any kind of stupid attempt to attack the expertise of the author falls flat here.
        – It’s a nice summary of the most glaring security issues.

        It gets the point I am trying to get across nicely, and you are (like anyone else here) unable to refute any of the points raised there. That I bring it up over and over again doesn’t mean it is “invalid”, it just means that I repeatedly bring it up.

        > Amateur hour

        CVE counting like “Chromium has also [insert X figure] CVEs” is indeed amateur hour, and that’s exactly what you do when you say that “Chromium also has zero days” (quelle surprise). Ironically enough, in an exercise of self-refutation, you insist that security should be looked at holistically one sentence before.

        > Moz engineer explaining

        Literally says that Project Fission has not yet even reached stable and that Firefox was only playing catchup again even when it’s finished. This is rather counterproductive for your argument, do you even realize that?

        > 9.8 to 12.3 % of relevant Firefox code is written in Rust

        Impressive figures. :D You forgot to mention that it is mostly NOT the most attacked components of FF that are written in Rust, though.

        > and are now turning to Rust

        I’ve long since said that Rust will be Mozilla’s lasting legacy, not FF. That FF is somehow secure just because Mozilla is also behind Rust (while being very slow to rewrite FF in Rust, haha) is a fallacy, by the way. Rust was developed independently of FF which predates it, and yes, also with the intention to solve some of FF’s flaws (however, Rust is fully independent of it and can be used for anything really).

        > firefox’s Fission isn’t quite there yet

        Oopsie.

        > Firefox certainly lacked multi-process and other protections in the past. You can’t say the same today.

        e10s in its historic form has nothing to do with real site isolation and proper sandboxing, which Firefox still lacks. But yes, you are right, it used to be a single process software in the past, and has improved since then (and is still playing catchup).

        Look, I am not writing this to shit on FF. I am trying to make it clear that there is factually nothing about FF that would make Tor use it, and the fact that Tor uses it can be explained by its history (Chromium didn’t exist back then) and Mozilla being more cooperative. Tor wants (and pushes for) better FF security, but I have my doubts that FF will ever reach parity with Chromium before it inevitably dies (< 4% market share today and still going down).

      9. Anonymous said on March 2, 2021 at 4:54 pm
        Reply

        quote—
        > even if chromium had been used for Tor Browser, then we could just point at any number of critical zero-day free-after-use and other bugs in the wild from Chrome in the past and say “Tor exploit, deanonymization”.

        Dude, that’s not how it works.
        — end quote

        THAT WAS EXACTLY THE POINT TO HIGHLIGHT YOUR STUPIDITY. You think it’s OK to make a general claim for Firefox, but not Chromium. It is not hard to take something you say, switch out the nouns and watch you change your tune. You are a logic bomb of hypocrisy-laden bull shit. No-one can take you seriously. My three year old thinks you suck.

      10. Iron Heart said on March 2, 2021 at 7:23 pm
        Reply

        @Anonymous

        I never engaged in CVE counting which is 100% idiotic, you did. I point to systematic issues of Firefox, not single CVEs. Except when having to demonstrate specific incidents, because you asked for it. Your claim that I am somehow Janus-faced is complete BS.

        > My three year old thinks you suck.

        I am devastated now.

      11. JoeBiden said on March 3, 2021 at 9:11 am
        Reply

        Iron Heart, will you just shut up man!

      12. Iron Heart said on March 3, 2021 at 8:01 pm
        Reply

        Why should I? I am refuting nonsensical replies here.

      13. m3city said on February 26, 2021 at 10:34 pm
        Reply

        @Iron Heart
        You know nothing. As pointed out several times by few people here on ghacks. Firefox and ideas behind it are clearly above sth you can comprehend. And the hate you spread about software you dont use shown how little you are.

      14. Iron Heart said on February 27, 2021 at 8:28 am
        Reply

        @m3city

        Yeah, sure thing my man. And I think all the sources I’ve just provided are also thin air as well. Ridiculous notion. That Chromium is more secure than Firefox in various ways is not exactly a secret, I know that this is a bitter pill for a fanboy like you to swallow, but it’s reality.

      15. I love Instagram said on February 26, 2021 at 10:44 pm
        Reply

        @Iron Heart
        What keeps Tor Browser Bundle from migrating from the worst browser ever to the best browser mankind could imagine?
        And if that tor thing is so cool, why does Brave fakes it, but does not make its own, let’s say Vegetable Browser Bundle?

      16. Iron Heart said on February 27, 2021 at 8:32 am
        Reply

        @I love Instagram

        > What keeps Tor Browser Bundle from migrating from the worst browser ever to the best browser mankind could imagine?

        They’d have to introduce changes to Chromium and would have to maintain them themselves without the support of upstream, because Google is not cooperative:

        https://gitlab.torproject.org/legacy/trac/-/wikis/doc/ImportantGoogleChromeBugs

        However, they’ll have to deal with it once the Gecko engine meets its demise. It’s either patching Chromium or giving up on the Tor Browser Bundle in the future. Moving to Chromium would improve their security and web compatibility, however, it would mean more workload for the Tor devs because as said, Google won’t help them.

        > And if that tor thing is so cool, why does Brave fakes it, but does not make its own, let’s say Vegetable Browser Bundle?

        ???

        Don’t know what you mean here.

  10. Anon7 said on February 26, 2021 at 10:43 pm
    Reply

    (Ironheart comment) Chromium offers superb web compatibility, security, and performance. Brave Software improves its privacy. Don’t know why that is considered bad. They have no intention to die a premature death as a project by basing their product on Firefox, a browser on its last legs. Reinventing the wheel is not viable either (too expensive and for no reason), so Chromium is the only viable choice.

    You are correct about Chromium/Blink’s web compatibly. But that is only because Google has its mitts all over it, big tech is turning it into a monopoly as far as browsers are concerned. Look at microsofts edge.

    It is better to have more variety than a monopoly.

    Google is responsible for the bulk of Chromium – 92% of commits to the project apparently

    Google, Facebook, Microsoft, Opera Software, Intel, Samsung, and others are all involved with Chromium/Blink in some way or another with Blink/Chromium project.

    It is not a good look IMHO.

    Back in 2015, Chromium 43 was reported by Debian developers as automatically downloading the binary blob Chrome Hotword Shared Module extension, a library for Google’s OK Google voice recognition feature.

    Chromium/Blink is tainted by googles mitts, that is why there are trust issues with privacy. Many would be suspicious of it. Binary blogs that could be hard to see etc.

    Mozilla/Gecko may not be perfect either, but at least the gecko engine does not have google/microsoft involved with the code in it as far as we know.

    Gecko should have its place.

    I do not see how a chromium/blink monopoly on browser software would be good to the end users.

    1. @Anon7 said on February 27, 2021 at 9:27 am
      Reply

      >> I do not see how a chromium/blink monopoly on browser software would be good to the end users.

      That’s exactly what Iron Heart clearly does not understand.

  11. ryuk said on February 27, 2021 at 9:42 am
    Reply

    Brave on mobile kinda sux tho. No extensions, “Add to home screen” popups that cannot be disabled, dark mode is not polished yet etc.

  12. Hank, in Tennessee said on February 28, 2021 at 7:41 pm
    Reply

    Years ago I was very interested in Tor browser.
    Tho I never got around to trying it.

    I recently re-discovered this guy’s info that pretty much ends my interest in it:

    https://restoreprivacy.com/tor/

    I use Brave Android as one of a couple secondary mobile browsers,
    tho iirc it does Not have Tor mode.

    I’m not very interested in Tor mode in Brave Desktop.
    Tho I suppose I should look into it for what it’s worth.
    (When I get another working desktop that is.)

    Hank, in Tennessee
    (diff from the “hank” above)

  13. Klaas Vaak said on March 4, 2021 at 10:15 am
    Reply

    @Iron Heart: wow, you got a lot of stick this time. But you know what? It is a compliment that so many different people attacked you, which means you made some good points which they have been able to refute in any convincing way.

    Keep up the good work. I know it can be frustrating to deal with certain of the characters, but they are all just honouring you with a reverence.

  14. Ana said on March 24, 2021 at 3:31 pm
    Reply

    These kinds of things are terrible. It must be hard when a company tries its best, and boom: a small mistake throws everything into the trash.
    I hope the best, in reality. At https://demyo.com/, I was able to notice these issues are essential. It would be great if anyone suffered because of this

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.