[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Albert López
newlog at overflowedminds.net
Mon Aug 5 01:56:32 PDT 2013
BTW (same comment in two pages :P):
The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53People who are on the latest supported versions of Firefox are not at risk.Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.
So it means that the vulnerability exploited was not even a 0day and tor users using updated software were not affected.
In fact, it has been tooooo much discussion for someone (FBI) exploiting a patched vulnerability...
gpg --keyserver pgp.mit.edu --search-keys EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447&op=vindex
From: nadim at nadim.cc
Date: Mon, 5 Aug 2013 10:46:58 +0200
To: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-05, at 10:46 AM, Georg Koppen <g.koppen at jondos.de> wrote:
> On 05.08.2013 10:15, Nadim Kobeissi wrote:
>> Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle
>
> is that really so? See:
> https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
> first comment.
Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser security advisory in that case.
NK
>
> Georg
>
> --
> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130805/b3cdfe2d/attachment.html>
More information about the liberationtech
mailing list