Tor Browser 11.0.2 released. Tor site blocking extension. Possible attacks on Tor

Submitted by release specialized browser Tor Browser 11.0.2focused on ensuring anonymity, security and privacy. When using the Tor Browser, all traffic is redirected only through the Tor network, and it is impossible to contact directly through the standard network connection of the current system, which does not allow tracing the user’s real IP address (in the event of a browser hacking, attackers can gain access to the system parameters of the network, so for a complete to block potential leaks, use products such as Whonix). Tor Browser builds prepared for Linux, Windows and macOS.

For additional protection, the Tor Browser includes the HTTPS Everywhere add-on, which allows you to use traffic encryption on all sites where possible. To reduce the threat from attacks using JavaScript and block plugins by default, an add-on is supplied NoScript… To combat blocking and traffic inspection, alternative transports are used. To protect against highlighting visitor-specific features, the APIs WebGL, WebGL2, WebAudio, Social, SpeechSynthesis, Touch, AudioContext, HTMLMediaElement, Mediastream, Canvas, SharedWorker, WebAudio, Permissions, MediaDevices.enumerateDevices and screen.orientation are disabled or limited, and are also disabled telemetry sending tools, Pocket, Reader View, HTTP Alternative-Services, MozTCPSocket, “link rel = preconnect”, libmdns modified.

The new version is synchronized with the release codebase
Firefox 91.4.0, which eliminated 15 vulnerabilities, of which 10 are marked as dangerous. 7 vulnerabilities are caused by memory problems, such as buffer overflows and access to already freed memory areas, and can potentially lead to the execution of an attacker’s code when opening specially designed pages. Some ttf fonts were excluded from the build for the Linux platform, the use of which led to breaking rendering text in interface elements in Fedora Linux. Disabled setting “network.proxy.allow_bypass”, which controls the proxy API misuse protection activity in add-ons. For the obfs4 transport, the new gateway is enabled by default “deusexmachina“.

Meanwhile, the story continues with the blocking of Tor in the Russian Federation. Roskomnadzor changed v registry prohibited sites mask of blocked domains from “” to “*” and expanded list of IP addressesto be blocked. The change has blocked most of the Tor project subdomains, including,, and There remains hosted in the Discourse framework. Partially accessible are and, to which access was initially lost, but then was restored, probably after changing IP addresses (gitlab is now directed to the host

At the same time, the blocking of gateways and nodes of the Tor network, as well as the host (Microsoft CDN), used in the meek-asure transport, was no longer noted. Apparently, experiments with blocking Tor nodes after blocking the Tor site stopped. A difficult situation with a mirror tor.eff.orgwhich continues to work. The fact is that the mirror is tied to the same IP address that is used for the domain of the organization EFF (Electronic Frontier Foundation), therefore blocking will lead to partial blocking of the site of a well-known human rights organization.

Additionally, you can note publication new report about possible attempts to carry out attacks to deanonymize Tor users associated with the KAX17 group, which is allocated by a specific fake contact email in the node parameters. During September and October, the Tor project was blocked 570 Potentially Malicious Hosts. At its peak, the KAX17 group managed to bring the number of controlled nodes in the Tor network to 900 hosted by 50 different providers, which corresponds to about 14% of the total relays (for comparison, in 2014, attackers managed to gain control over almost half of Tor relays, and in 2020 over 23.95% of exit nodes).

Placing a large number of nodes controlled by one operator allows users to deanonymize using a Sybil-class attack, which can be carried out if attackers have control over the first and last nodes in the anonymization chain. The first node in the Tor chain knows the user’s IP address, and the last one knows the IP address of the requested resource, which makes it possible to deanonymize the request by adding a certain hidden label on the side of the input node to the packet headers that remain unchanged throughout the entire anonymization chain, and analyzing this label for side of the exit node. With controlled exit nodes, attackers can also make changes to unencrypted traffic, such as removing redirects to HTTPS variants of sites and intercepting unencrypted content.

By data of the Tor network, most of the nodes removed in the fall were used only as intermediate nodes, not used to process incoming and outgoing requests. Individual researchers celebratethat the nodes belonged to all categories and the probability of hitting the input node controlled by the KAX17 group was 16%, and at the output node – 5%. But even if this is so, then the overall probability of a user hitting simultaneously the input and output nodes of a group of 900 nodes controlled by KAX17 estimated at 0.8%. There is no direct evidence of the use of KAX17 nodes to carry out attacks, but such attacks are not excluded.


About Lee Michaelis 142812 Articles
Before starting GamingDeputy, I used to spend my day modding games and searching for new wallpapers. A vivid writer and a blogger. I enjoy giving tech support to people in help (mostly my brother). Racing, MMO, RTS games are my favs.