Tor Browser is generally considered the go-to browser for the anonymity and privacy lovers, the notion may be slightly challenged after the discovery of the “TorMoil” vulnerability in the browser.
It’s good that the vulnerability isn’t on blog posts and tweets for now, so it may as well be the best time to patch the Tormoil vulnerability before it does something you may regret?
So what exactly is the Tormoil vulnerability and how damaging is it?
Everything about the TorMoil Vulnerability
The name seems well-rhymed with “Turmoil” which literally means a state of disturbance or confusion and that’s exactly what the vulnerability has brought with itself.
The Tormoil vulnerability was discovered by the folks over at “We Are Segment” and what it does is- leaks your IP address. (People who use Tor with VPN no need to worry but if you are the one who use Tor without VPN, update it now and get a best VPN service to keep safe yourself from such bugs in future)
Although it’s a URL-specific bug, meaning it doesn’t always happen but only occurs with some of the URLs, like the ones starting with file://.
In those cases, the user’s system may bypasses Tor, and connect directly to the remote host / site hence exposing your IP address as in those cases the traffic won’t be routed via the Tor nodes.
Although there’s a piece of good news as well, it effects only the MacOS and Linux users, so the users using Windows are safe for now.
What Caused the Bug and How to Fix it?
Tor is a browser based on FireFox, so the way Firefox handles the file://.” URLs wasn’t as well-coded as the team believed it to be resulting in the vulnerability.
After the Vulnerability was disclosed to the Tor developers, they released an update which fixes the loophole temporarily for now.
The simplest way to get it done is, update your Tor browser if you’re a Linux or Mac user. Windows users need not do so, although updating won’t hurt.
How Damaging is it and How Exposed are You?
The vulnerability isn’t disclosed by the “We are Segment” team yet, only its consequences or causes, but not how exactly it can be exploited.
Also as per the reports from The Tor Project, no other tor-based program or project such as TAILS, the Sandboxed Tor or anything else is effected by the vulnerability.
“”We are not aware of this vulnerability being exploited in the wild”, were the exact words from the Tor team.
Although they did accept that the File:// URL feature may break at times for now and users may have to use a new tab to use the feature.
Also, the update for the Tor browser which fixes the issue seems only to be temporary.
Anyone with good-enough knowledge of codes and programming can simply compare the unpatched and patched version of the browser and detect the changes in the code.
This may grant them ways to exploit either the current vulnerability, or come up with newer ways to do so as what causes the vulnerability won’t be a secret.
How damaging it is for you will depend on who you are, and what you do with Tor. If you simply like anonymity and stroll around the web, it won’t be much of a problem.
But then again, the govt. or no other third-party is aware of how to exploit the vulnerability for now except the team who found the loophole so if you fix it before things get awry, there’s still hope for you.
How to Fix TorMoil & Keep Safe from Such Bugs in Future
There’s a way to fix or avoid the bug without updating Tor, or even if you update Tor, this method should always be used with Tor, bug or no bug.
Use a VPN!
Yes, I’ve said it quite a few times now, infact I almost mention using Tor with good VPN Software. Tor isn’t the “ultimate anonymity solution” and it’s something they accept as well.
Not just for this vulnerability, even when there’s no bug or loophole using a VPN is always advised because even if Tor routes your traffic through the nodes and hides your IP address, it’s never enough.
A VPN on the other hand will provide you with a secondary IP address, hiding your real-IP address so even when there’s a bug or vulnerability with Tor, you’re still protected.
Now my personal favourite is NordVPN, for a lot of reasons primarily because it offers over 60+ countries and its “No logs policy” really doesn’t store any logs.
The VPN also provides for additional encryption which otherwise isn’t available with Tor browser.
Why Tor Matters, Even for the Good Guys
This Tor vulnerability doesn’t only effect the Dark web traders or people with illegal intents or actions.
Tor has quite a few legal uses as well, primarily when it’s used by Whistleblowers to expose powerful organizations, companies or individuals, it becomes crucial that their identity remains safe.
Even people from restricted regions such as China or Pakistan may need unrestricted Internet Access or access to things which the govt. of those countries isn’t very fond of.
So this or any other legal use of Tor will totally be affected if it becomes obsolete on the one thing it promises to deliver- privacy and anonymity.
Not to mention that it’ll be a nightmare for the Dark web users and a feast for the FBI or any other law enforcement agency.
Final Words on TorMoil Vulnerability
So in a nutshell, yes it’s a serious enough vulnerability to warrant a mention on and attention of every Tor user, but nothing that can’t be handled.
Simply update your Tor browser, and get a good VPN software and keep using it even after all and any bugs are fixed.
Also, the Tor team would obviously come up with a permanent fix to the problem but till then the current update has to do.
Let us know what are your thoughts about Tor’s future, and this vulnerability in general in the comments.
Share this post with your other fellow Tor users and on your social media.