Generally, the Tor network provides a high level of protection and anonymity for its users. So much so that law enforcement agencies, instead of attacking the network itself, have opted to hack individual users' computers, or end-points. This way, investigators have learned Tor users' IP addresses.
But the Tor Project, the nonprofit that maintains the Tor software, and the team behind Mozilla's Firefox, have quietly been working on improvements that, they say, should make such attacks more difficult. By tweaking how the browser connects to the Tor network, malware designed to unmask users may have a harder time doing so.
"We're at the stage right now where we have created the basic tools and we're working on putting them together to realize the security benefits," Richard Barnes, Firefox Security Lead, told Motherboard in an email.
As Barnes explained, the Tor Browser is basically made up of two parts: a modified version of Firefox, and the Tor proxy, which routes the browser's traffic into the Tor network. Usually, the Firefox part also has network access, as it needs this to talk to the proxy.
"That means if an attacker can compromise the Firefox half of Tor Browser, it can de-anonymize the user by connecting to something other than the Tor proxy," Barnes said.
Indeed, this is essentially what the FBI has done in some of its dark web investigations. In February 2015, the agency deployed a "network investigative technique" (NIT)—the agency's term for a piece of malware—against suspected visitors of a child pornography site. That malware first used a Tor Browser exploit, and then forced the computer to contact a government server outside of the Tor network, revealing the suspect's real IP address to the FBI.
But that will change with the support of 'Unix domain sockets', and some other tweaks. A Unix domain socket is basically a way for two programs on the same computer to talk to each other without using an underlying network protocol. With that, the Firefox half of the Tor Browser should no longer need network access, Barnes continued.
"That means that you could run it in a sandbox with no network access (only a Unix domain socket to the proxy), and it would still work fine. And then, even if the Firefox half of Tor Browser were compromised, it wouldn't be able to make a network connection to de-anonymize the user," he said.
This project is a collaboration between the Tor Project and Mozilla, according to Barnes. He said it started when the Tor Project did some work on adding Unix domain socket capabilities to the Tor proxy and browser. After that, Mozilla added a general capability to Firefox allowing it to talk to proxies over Unix domain sockets. And now, the Tor Browser team is working on putting this general capability into the Tor Browser, and Mozilla is helping to fix any bugs that come up, Barnes said.
There are some caveats, however. For this plan to work, the operating system needs a couple of things, namely a non-network way to talk to the proxy—in this case, Unix domain sockets—and a suitable sandbox that can stop the Firefox part of the browser from getting access to the network.
At the moment, Firefox's support will only work on platforms that have those sockets, like macOS and Linux. Barnes said support will be included with Firefox 51, which will be released in January.
"Work is ongoing to extend this capability to Windows […] and sandboxing work should proceed once the integration is done," Barnes added.
After this story was initially published, a Tor Project spokesperson gave the following statement to Motherboard: We are sandboxing the Tor browser to insulate our users from potential attacks. We want to make life as difficult as possible for people trying to deanonymize our users. Tor developer Yawning Angel just finished an experimental prototype that will likely appear in some versions of the Tor Browser later this year.
This story was also updated after its initial publication to include Firefox 51's January release date.