*** This bug is a security vulnerability *** Public security bug reported:
There is an insidious privacy leak (aka security flaw) when using the default Tor Browser Bundle on Ubuntu 13.10/Unity. I do not know if this problem occurs on any other Ubuntu version, but, I do know that this problem does NOT occur on four other operating systems where I currently use the Tor Browser Bundle (namely Windows 7, Windows XP, Centos6, and RHEL6). The problem is that every single user who follows the standard instructions to install the default Tor Browser Bundle on Ubuntu 13.10 will constantly have to doublecheck Ubuntu 13.10 to see WHICH browser they are opening (which, arbitrarily, will either be the secure Tor or the insecure Firefox). While having to check the Help->About every time one opens up a browser is a problem enough to report as a bug, the worse effect is when a user inadvertently uses the wrong browser. Make no mistake about this - the repercussions can be severe (even fatal). If someone has a need for privacy, one single mistake can get them into a lot of trouble. At the very least, that inevitable mistake would compromise an entire anonymous nym; and at the worse, well, I don't even want to think about what could happen in the worst case (depending on the government of the user whose anonymity is betrayed). Fact is, with this bug, Ubuntu 13.10 can not be trusted with the Tor Browser Bundle. Period. That's why this seemingly simple bug where, only on Ubuntu 13.10, Tor and Firefox are confused by the operating system, is actually a severe usability bug. To reproduce, first simply install the Tor Browser Bundle on Ubuntu 13.10 , following published instructions. Note that the Tor Browser Bundle is NOT in the repositories (AFAIK) so you'll need to get it off the default Tor web site. I installed the 64-bit Tor on Ubuntu 13.10, but, the problem appears to be the same on 32-bit Ubuntu 13.10. Then, once you have installed the Tor Browser Bundle using the standard method published on the Tor web site, launch both Tor and Firefox any way you like on Ubuntu 13.10. You'll immediately find out that, by default, the (secure) Tor icon is inexplicably confused with the (insecure) Firefox. That is, the launcher for Tor will not exist; so if you open a (secure) Tor browser and an (insecure) Firefox browser, you have to constantly click on the (insecure) Firefox launcher, and then carefully scrutinize the similar-looking windows (sometimes having to go as far as Help->About) in order to determine WHICH browser you're actually running. One mistake (which is inevitable), and you're dead. Note: On all other operating systems, the Tor Browser Bundle shows up as a DIFFERENT browser than the (insecure) Firefox., so there is vastly fewer chances for an inadvertent mistake. To make matters worse, only on Ubuntu 13.10 (and not on all other operating systems tested), the Vidalia Control Panel (which comes standard with the Tor Browser Bundle) also doesn't show up after installing the Tor Browser Bundle as per the instructions on the Tor web site. This means that all the control settings of Vidalia are NOT AVAILABLE to the user on Ubuntu, further potentially compromising the Ubuntu 13.10 users. On the Ubuntu forums, there are long threads on how to partially work around these severe usability bugs, but, nobody yet has proposed a solution that actually works. All you can do so far is PARTIALLY disengage the (insecure) Firefox from the (secure) Tor Browser Bundle - but you still can't get Vidalia to come up, even with the proposed workarounds. For INSTRUCTIONS on how to install the Tor Browser Bundle (English) on Ubuntu 13.10, simply go here: https://www.torproject.org/projects/torbrowser.html.en There is no sense reproducing those instructions here because they are standard for all Linux operating systems. Once you install the Tor Browser Bundle, the problems I've described above will show themselves instantly, the moment you launch both an (insecure) Firefox browser and a (secure) Tor browser. When this bug is fixed, I'd expect: 1. When you install the Tor Browser Bundle on Ubuntu, a SEPARATE launcher for the (secure) Tor browser will result 2. Also, a SEPARATE control panel for Vidalia will be available to the user. 3. It would be expected that the (insecure) Firefox launcher will be unaffected. ** Affects: ubuntu Importance: Undecided Status: New ** Tags: browser bundle conttrol firefox launcher panel tor vidalia ** Attachment added: "Picture of the Vidalia and Firefox launcher icons, after instituting the partial workarounds." https://bugs.launchpad.net/bugs/1272025/+attachment/3955230/+files/bad_ubuntu_bug.jpg ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272025 Title: Privacy leak ONLY on Ubuntu 13.10/Unity using default official Tor Browser Bundle (including Vidalia) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1272025/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
