Freedom Host administrator has been arrested in Ireland, he is currently awaiting extradition to the US, being described by an FBI special agent as “the largest facilitator of child porn on the planet.” Freedom Host was a service inside the Tor network hosting anonymous content that could consist of anything, ranging from leaked documents to hacking tools and illegal images.
Tor Project’s Executive Director has confirmed in his blog that Freedom Host servers were breached before going offline and it is claimed that hidden Tor sites in Freedom Host had been injecting a javascript exploit in an attempt to identify its users. The vulnerability only worked in Firefox 17, on which Tor Browser Bundle is based and is therefore vulnerable, the developers had recently turned on javascript by default in an attempt to make it more user friendly. People using the the NoScript addon or Tails live DVD to access Freedom Host hidden sites should have been protected from the exploit.
Freedom Host Tor operator arrested
OnionNews posters also link FreedomHost administrator with Tormail and a Bitcoin escrow service called OnionBank, those services should be considered compromised by law enforcement as well.
It is important to remember that what has been seized are servers belonging to an individual running various Tor services, this is not a Tor network vulnerability, as long as you did not run the Tor Browser Bundle you should be safe. Hidden sites running on different servers should also be safe, but this sends a strong message that what has happened to one operator might happen to others. The lesson learnt here is that you should always disable javascript in your browser.
More info: Tor Project official blog
corrector
“The lesson learnt here is that you should always disable javascript in your browser.”
Patently inane conclusion.
Many sites are unusable without JS. Also, not all vulnerabilities are JS-based. The next exploit might be with Web fonts, with the PNG renderer… will you also disable images?
OTOH, you probably should :
– ensure the host running the browser does not have an Internet address
– block all outgoing connections except for Tor
– make the MAC address random
salt
Every Tor exploit in the past has relied on JavaScript. The steps you outlined are not practical for the average user. If you insist on enabling JS an easier method would be to run Tor under a VPN. In this case the exploit would reveal only the VPN’s IP.
doc
How about connecting to Tor through a ssh tunnel to an anonymous proxy? Would that suffice too?
imu
Will there be an update to this news?
Brittany
hello imu,
I am not updating the blog sorry, too busy working.
hacker10